1 
2 /* pngvalid.c - validate libpng by constructing then reading png files.
3  *
4  * Last changed in libpng 1.6.24 [August 4, 2016]
5  * Copyright (c) 2014-2016 Glenn Randers-Pehrson
6  * Written by John Cunningham Bowler
7  *
8  * This code is released under the libpng license.
9  * For conditions of distribution and use, see the disclaimer
10  * and license in png.h
11  *
12  * NOTES:
13  *   This is a C program that is intended to be linked against libpng.  It
14  *   generates bitmaps internally, stores them as PNG files (using the
15  *   sequential write code) then reads them back (using the sequential
16  *   read code) and validates that the result has the correct data.
17  *
18  *   The program can be modified and extended to test the correctness of
19  *   transformations performed by libpng.
20  */
21 
22 #define _POSIX_SOURCE 1
23 #define _ISOC99_SOURCE 1 /* For floating point */
24 #define _GNU_SOURCE 1 /* For the floating point exception extension */
25 
26 #include <signal.h>
27 #include <stdio.h>
28 
29 #if defined(HAVE_CONFIG_H) && !defined(PNG_NO_CONFIG_H)
30 #  include <config.h>
31 #endif
32 
33 #ifdef HAVE_FEENABLEEXCEPT /* from config.h, if included */
34 #  include <fenv.h>
35 #endif
36 
37 #ifndef FE_DIVBYZERO
38 #  define FE_DIVBYZERO 0
39 #endif
40 #ifndef FE_INVALID
41 #  define FE_INVALID 0
42 #endif
43 #ifndef FE_OVERFLOW
44 #  define FE_OVERFLOW 0
45 #endif
46 
47 /* Define the following to use this test against your installed libpng, rather
48  * than the one being built here:
49  */
50 #ifdef PNG_FREESTANDING_TESTS
51 #  include <png.h>
52 #else
53 #  include "../../png.h"
54 #endif
55 
56 #ifdef PNG_ZLIB_HEADER
57 #  include PNG_ZLIB_HEADER
58 #else
59 #  include <zlib.h>   /* For crc32 */
60 #endif
61 
62 /* 1.6.1 added support for the configure test harness, which uses 77 to indicate
63  * a skipped test, in earlier versions we need to succeed on a skipped test, so:
64  */
65 #if PNG_LIBPNG_VER >= 10601 && defined(HAVE_CONFIG_H)
66 #  define SKIP 77
67 #else
68 #  define SKIP 0
69 #endif
70 
71 /* pngvalid requires write support and one of the fixed or floating point APIs.
72  */
73 #if defined(PNG_WRITE_SUPPORTED) &&\
74    (defined(PNG_FIXED_POINT_SUPPORTED) || defined(PNG_FLOATING_POINT_SUPPORTED))
75 
76 #if PNG_LIBPNG_VER < 10500
77 /* This deliberately lacks the const. */
78 typedef png_byte *png_const_bytep;
79 
80 /* This is copied from 1.5.1 png.h: */
81 #define PNG_INTERLACE_ADAM7_PASSES 7
82 #define PNG_PASS_START_ROW(pass) (((1U&~(pass))<<(3-((pass)>>1)))&7)
83 #define PNG_PASS_START_COL(pass) (((1U& (pass))<<(3-(((pass)+1)>>1)))&7)
84 #define PNG_PASS_ROW_SHIFT(pass) ((pass)>2?(8-(pass))>>1:3)
85 #define PNG_PASS_COL_SHIFT(pass) ((pass)>1?(7-(pass))>>1:3)
86 #define PNG_PASS_ROWS(height, pass) (((height)+(((1<<PNG_PASS_ROW_SHIFT(pass))\
87    -1)-PNG_PASS_START_ROW(pass)))>>PNG_PASS_ROW_SHIFT(pass))
88 #define PNG_PASS_COLS(width, pass) (((width)+(((1<<PNG_PASS_COL_SHIFT(pass))\
89    -1)-PNG_PASS_START_COL(pass)))>>PNG_PASS_COL_SHIFT(pass))
90 #define PNG_ROW_FROM_PASS_ROW(yIn, pass) \
91    (((yIn)<<PNG_PASS_ROW_SHIFT(pass))+PNG_PASS_START_ROW(pass))
92 #define PNG_COL_FROM_PASS_COL(xIn, pass) \
93    (((xIn)<<PNG_PASS_COL_SHIFT(pass))+PNG_PASS_START_COL(pass))
94 #define PNG_PASS_MASK(pass,off) ( \
95    ((0x110145AFU>>(((7-(off))-(pass))<<2)) & 0xFU) | \
96    ((0x01145AF0U>>(((7-(off))-(pass))<<2)) & 0xF0U))
97 #define PNG_ROW_IN_INTERLACE_PASS(y, pass) \
98    ((PNG_PASS_MASK(pass,0) >> ((y)&7)) & 1)
99 #define PNG_COL_IN_INTERLACE_PASS(x, pass) \
100    ((PNG_PASS_MASK(pass,1) >> ((x)&7)) & 1)
101 
102 /* These are needed too for the default build: */
103 #define PNG_WRITE_16BIT_SUPPORTED
104 #define PNG_READ_16BIT_SUPPORTED
105 
106 /* This comes from pnglibconf.h afer 1.5: */
107 #define PNG_FP_1 100000
108 #define PNG_GAMMA_THRESHOLD_FIXED\
109    ((png_fixed_point)(PNG_GAMMA_THRESHOLD * PNG_FP_1))
110 #endif
111 
112 #if PNG_LIBPNG_VER < 10600
113    /* 1.6.0 constifies many APIs, the following exists to allow pngvalid to be
114     * compiled against earlier versions.
115     */
116 #  define png_const_structp png_structp
117 #endif
118 
119 #ifndef RELEASE_BUILD
120    /* RELEASE_BUILD is true for releases and release candidates: */
121 #  define RELEASE_BUILD (PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC)
122 #endif
123 #if RELEASE_BUILD
124 #   define debugonly(something)
125 #else /* !RELEASE_BUILD */
126 #   define debugonly(something) something
127 #endif /* !RELEASE_BUILD */
128 
129 #include <float.h>  /* For floating point constants */
130 #include <stdlib.h> /* For malloc */
131 #include <string.h> /* For memcpy, memset */
132 #include <math.h>   /* For floor */
133 
134 /* Convenience macros. */
135 #define CHUNK(a,b,c,d) (((a)<<24)+((b)<<16)+((c)<<8)+(d))
136 #define CHUNK_IHDR CHUNK(73,72,68,82)
137 #define CHUNK_PLTE CHUNK(80,76,84,69)
138 #define CHUNK_IDAT CHUNK(73,68,65,84)
139 #define CHUNK_IEND CHUNK(73,69,78,68)
140 #define CHUNK_cHRM CHUNK(99,72,82,77)
141 #define CHUNK_gAMA CHUNK(103,65,77,65)
142 #define CHUNK_sBIT CHUNK(115,66,73,84)
143 #define CHUNK_sRGB CHUNK(115,82,71,66)
144 
145 /* Unused formal parameter errors are removed using the following macro which is
146  * expected to have no bad effects on performance.
147  */
148 #ifndef UNUSED
149 #  if defined(__GNUC__) || defined(_MSC_VER)
150 #     define UNUSED(param) (void)param;
151 #  else
152 #     define UNUSED(param)
153 #  endif
154 #endif
155 
156 /***************************** EXCEPTION HANDLING *****************************/
157 #ifdef PNG_FREESTANDING_TESTS
158 #  include <cexcept.h>
159 #else
160 #  include "../visupng/cexcept.h"
161 #endif
162 
163 #ifdef __cplusplus
164 #  define this not_the_cpp_this
165 #  define new not_the_cpp_new
166 #  define voidcast(type, value) static_cast<type>(value)
167 #else
168 #  define voidcast(type, value) (value)
169 #endif /* __cplusplus */
170 
171 struct png_store;
172 define_exception_type(struct png_store*);
173 
174 /* The following are macros to reduce typing everywhere where the well known
175  * name 'the_exception_context' must be defined.
176  */
177 #define anon_context(ps) struct exception_context *the_exception_context = \
178    &(ps)->exception_context
179 #define context(ps,fault) anon_context(ps); png_store *fault
180 
181 /* This macro returns the number of elements in an array as an (unsigned int),
182  * it is necessary to avoid the inability of certain versions of GCC to use
183  * the value of a compile-time constant when performing range checks.  It must
184  * be passed an array name.
185  */
186 #define ARRAY_SIZE(a) ((unsigned int)((sizeof (a))/(sizeof (a)[0])))
187 
188 /* GCC BUG 66447 (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66447) requires
189  * some broken GCC versions to be fixed up to avoid invalid whining about auto
190  * variables that are *not* changed within the scope of a setjmp being changed.
191  *
192  * Feel free to extend the list of broken versions.
193  */
194 #define is_gnu(major,minor)\
195    (defined __GNUC__) && __GNUC__ == (major) && __GNUC_MINOR__ == (minor)
196 #define is_gnu_patch(major,minor,patch)\
197    is_gnu(major,minor) && __GNUC_PATCHLEVEL__ == 0
198 /* For the moment just do it always; all versions of GCC seem to be broken: */
199 #ifdef __GNUC__
200    const void * volatile make_volatile_for_gnu;
201 #  define gnu_volatile(x) make_volatile_for_gnu = &x;
202 #else /* !GNUC broken versions */
203 #  define gnu_volatile(x)
204 #endif /* !GNUC broken versions */
205 
206 /******************************* UTILITIES ************************************/
207 /* Error handling is particularly problematic in production code - error
208  * handlers often themselves have bugs which lead to programs that detect
209  * minor errors crashing.  The following functions deal with one very
210  * common class of errors in error handlers - attempting to format error or
211  * warning messages into buffers that are too small.
212  */
safecat(char * buffer,size_t bufsize,size_t pos,const char * cat)213 static size_t safecat(char *buffer, size_t bufsize, size_t pos,
214    const char *cat)
215 {
216    while (pos < bufsize && cat != NULL && *cat != 0)
217       buffer[pos++] = *cat++;
218 
219    if (pos >= bufsize)
220       pos = bufsize-1;
221 
222    buffer[pos] = 0;
223    return pos;
224 }
225 
safecatn(char * buffer,size_t bufsize,size_t pos,int n)226 static size_t safecatn(char *buffer, size_t bufsize, size_t pos, int n)
227 {
228    char number[64];
229    sprintf(number, "%d", n);
230    return safecat(buffer, bufsize, pos, number);
231 }
232 
233 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
safecatd(char * buffer,size_t bufsize,size_t pos,double d,int precision)234 static size_t safecatd(char *buffer, size_t bufsize, size_t pos, double d,
235     int precision)
236 {
237    char number[64];
238    sprintf(number, "%.*f", precision, d);
239    return safecat(buffer, bufsize, pos, number);
240 }
241 #endif
242 
243 static const char invalid[] = "invalid";
244 static const char sep[] = ": ";
245 
246 static const char *colour_types[8] =
247 {
248    "grayscale", invalid, "truecolour", "indexed-colour",
249    "grayscale with alpha", invalid, "truecolour with alpha", invalid
250 };
251 
252 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
253 /* Convert a double precision value to fixed point. */
254 static png_fixed_point
fix(double d)255 fix(double d)
256 {
257    d = floor(d * PNG_FP_1 + .5);
258    return (png_fixed_point)d;
259 }
260 #endif /* PNG_READ_SUPPORTED */
261 
262 /* Generate random bytes.  This uses a boring repeatable algorithm and it
263  * is implemented here so that it gives the same set of numbers on every
264  * architecture.  It's a linear congruential generator (Knuth or Sedgewick
265  * "Algorithms") but it comes from the 'feedback taps' table in Horowitz and
266  * Hill, "The Art of Electronics" (Pseudo-Random Bit Sequences and Noise
267  * Generation.)
268  */
269 static void
make_random_bytes(png_uint_32 * seed,void * pv,size_t size)270 make_random_bytes(png_uint_32* seed, void* pv, size_t size)
271 {
272    png_uint_32 u0 = seed[0], u1 = seed[1];
273    png_bytep bytes = voidcast(png_bytep, pv);
274 
275    /* There are thirty three bits, the next bit in the sequence is bit-33 XOR
276     * bit-20.  The top 1 bit is in u1, the bottom 32 are in u0.
277     */
278    size_t i;
279    for (i=0; i<size; ++i)
280    {
281       /* First generate 8 new bits then shift them in at the end. */
282       png_uint_32 u = ((u0 >> (20-8)) ^ ((u1 << 7) | (u0 >> (32-7)))) & 0xff;
283       u1 <<= 8;
284       u1 |= u0 >> 24;
285       u0 <<= 8;
286       u0 |= u;
287       *bytes++ = (png_byte)u;
288    }
289 
290    seed[0] = u0;
291    seed[1] = u1;
292 }
293 
294 static void
make_four_random_bytes(png_uint_32 * seed,png_bytep bytes)295 make_four_random_bytes(png_uint_32* seed, png_bytep bytes)
296 {
297    make_random_bytes(seed, bytes, 4);
298 }
299 
300 #if defined PNG_READ_SUPPORTED || defined PNG_WRITE_tRNS_SUPPORTED ||\
301     defined PNG_WRITE_FILTER_SUPPORTED
302 static void
randomize(void * pv,size_t size)303 randomize(void *pv, size_t size)
304 {
305    static png_uint_32 random_seed[2] = {0x56789abc, 0xd};
306    make_random_bytes(random_seed, pv, size);
307 }
308 
309 #define R8(this) randomize(&(this), sizeof (this))
310 
311 #ifdef PNG_READ_SUPPORTED
312 static png_byte
random_byte(void)313 random_byte(void)
314 {
315    unsigned char b1[1];
316    randomize(b1, sizeof b1);
317    return b1[0];
318 }
319 #endif /* READ */
320 
321 static png_uint_16
random_u16(void)322 random_u16(void)
323 {
324    unsigned char b2[2];
325    randomize(b2, sizeof b2);
326    return png_get_uint_16(b2);
327 }
328 
329 #if defined PNG_READ_RGB_TO_GRAY_SUPPORTED ||\
330     defined PNG_READ_FILLER_SUPPORTED
331 static png_uint_32
random_u32(void)332 random_u32(void)
333 {
334    unsigned char b4[4];
335    randomize(b4, sizeof b4);
336    return png_get_uint_32(b4);
337 }
338 #endif /* READ_FILLER || READ_RGB_TO_GRAY */
339 
340 #endif /* READ || WRITE_tRNS || WRITE_FILTER */
341 
342 #if defined PNG_READ_TRANSFORMS_SUPPORTED ||\
343     defined PNG_WRITE_FILTER_SUPPORTED
344 static unsigned int
random_mod(unsigned int max)345 random_mod(unsigned int max)
346 {
347    return random_u16() % max; /* 0 .. max-1 */
348 }
349 #endif /* READ_TRANSFORMS || WRITE_FILTER */
350 
351 #if (defined PNG_READ_RGB_TO_GRAY_SUPPORTED) ||\
352     (defined PNG_READ_FILLER_SUPPORTED)
353 static int
random_choice(void)354 random_choice(void)
355 {
356    return random_byte() & 1;
357 }
358 #endif /* READ_RGB_TO_GRAY || READ_FILLER */
359 
360 /* A numeric ID based on PNG file characteristics.  The 'do_interlace' field
361  * simply records whether pngvalid did the interlace itself or whether it
362  * was done by libpng.  Width and height must be less than 256.  'palette' is an
363  * index of the palette to use for formats with a palette otherwise a boolean
364  * indicating if a tRNS chunk was generated.
365  */
366 #define FILEID(col, depth, palette, interlace, width, height, do_interlace) \
367    ((png_uint_32)((col) + ((depth)<<3) + ((palette)<<8) + ((interlace)<<13) + \
368     (((do_interlace)!=0)<<15) + ((width)<<16) + ((height)<<24)))
369 
370 #define COL_FROM_ID(id) ((png_byte)((id)& 0x7U))
371 #define DEPTH_FROM_ID(id) ((png_byte)(((id) >> 3) & 0x1fU))
372 #define PALETTE_FROM_ID(id) (((id) >> 8) & 0x1f)
373 #define INTERLACE_FROM_ID(id) ((png_byte)(((id) >> 13) & 0x3))
374 #define DO_INTERLACE_FROM_ID(id) ((int)(((id)>>15) & 1))
375 #define WIDTH_FROM_ID(id) (((id)>>16) & 0xff)
376 #define HEIGHT_FROM_ID(id) (((id)>>24) & 0xff)
377 
378 /* Utility to construct a standard name for a standard image. */
379 static size_t
standard_name(char * buffer,size_t bufsize,size_t pos,png_byte colour_type,int bit_depth,unsigned int npalette,int interlace_type,png_uint_32 w,png_uint_32 h,int do_interlace)380 standard_name(char *buffer, size_t bufsize, size_t pos, png_byte colour_type,
381     int bit_depth, unsigned int npalette, int interlace_type,
382     png_uint_32 w, png_uint_32 h, int do_interlace)
383 {
384    pos = safecat(buffer, bufsize, pos, colour_types[colour_type]);
385    if (colour_type == 3) /* must have a palette */
386    {
387       pos = safecat(buffer, bufsize, pos, "[");
388       pos = safecatn(buffer, bufsize, pos, npalette);
389       pos = safecat(buffer, bufsize, pos, "]");
390    }
391 
392    else if (npalette != 0)
393       pos = safecat(buffer, bufsize, pos, "+tRNS");
394 
395    pos = safecat(buffer, bufsize, pos, " ");
396    pos = safecatn(buffer, bufsize, pos, bit_depth);
397    pos = safecat(buffer, bufsize, pos, " bit");
398 
399    if (interlace_type != PNG_INTERLACE_NONE)
400    {
401       pos = safecat(buffer, bufsize, pos, " interlaced");
402       if (do_interlace)
403          pos = safecat(buffer, bufsize, pos, "(pngvalid)");
404       else
405          pos = safecat(buffer, bufsize, pos, "(libpng)");
406    }
407 
408    if (w > 0 || h > 0)
409    {
410       pos = safecat(buffer, bufsize, pos, " ");
411       pos = safecatn(buffer, bufsize, pos, w);
412       pos = safecat(buffer, bufsize, pos, "x");
413       pos = safecatn(buffer, bufsize, pos, h);
414    }
415 
416    return pos;
417 }
418 
419 static size_t
standard_name_from_id(char * buffer,size_t bufsize,size_t pos,png_uint_32 id)420 standard_name_from_id(char *buffer, size_t bufsize, size_t pos, png_uint_32 id)
421 {
422    return standard_name(buffer, bufsize, pos, COL_FROM_ID(id),
423       DEPTH_FROM_ID(id), PALETTE_FROM_ID(id), INTERLACE_FROM_ID(id),
424       WIDTH_FROM_ID(id), HEIGHT_FROM_ID(id), DO_INTERLACE_FROM_ID(id));
425 }
426 
427 /* Convenience API and defines to list valid formats.  Note that 16 bit read and
428  * write support is required to do 16 bit read tests (we must be able to make a
429  * 16 bit image to test!)
430  */
431 #ifdef PNG_WRITE_16BIT_SUPPORTED
432 #  define WRITE_BDHI 4
433 #  ifdef PNG_READ_16BIT_SUPPORTED
434 #     define READ_BDHI 4
435 #     define DO_16BIT
436 #  endif
437 #else
438 #  define WRITE_BDHI 3
439 #endif
440 #ifndef DO_16BIT
441 #  define READ_BDHI 3
442 #endif
443 
444 /* The following defines the number of different palettes to generate for
445  * each log bit depth of a colour type 3 standard image.
446  */
447 #define PALETTE_COUNT(bit_depth) ((bit_depth) > 4 ? 1U : 16U)
448 
449 static int
next_format(png_bytep colour_type,png_bytep bit_depth,unsigned int * palette_number,int low_depth_gray,int tRNS)450 next_format(png_bytep colour_type, png_bytep bit_depth,
451    unsigned int* palette_number, int low_depth_gray, int tRNS)
452 {
453    if (*bit_depth == 0)
454    {
455       *colour_type = 0;
456       if (low_depth_gray)
457          *bit_depth = 1;
458       else
459          *bit_depth = 8;
460       *palette_number = 0;
461       return 1;
462    }
463 
464    if  (*colour_type < 4/*no alpha channel*/)
465    {
466       /* Add multiple palettes for colour type 3, one image with tRNS
467        * and one without for other non-alpha formats:
468        */
469       unsigned int pn = ++*palette_number;
470       png_byte ct = *colour_type;
471 
472       if (((ct == 0/*GRAY*/ || ct/*RGB*/ == 2) && tRNS && pn < 2) ||
473           (ct == 3/*PALETTE*/ && pn < PALETTE_COUNT(*bit_depth)))
474          return 1;
475 
476       /* No: next bit depth */
477       *palette_number = 0;
478    }
479 
480    *bit_depth = (png_byte)(*bit_depth << 1);
481 
482    /* Palette images are restricted to 8 bit depth */
483    if (*bit_depth <= 8
484 #ifdef DO_16BIT
485          || (*colour_type != 3 && *bit_depth <= 16)
486 #endif
487       )
488       return 1;
489 
490    /* Move to the next color type, or return 0 at the end. */
491    switch (*colour_type)
492    {
493       case 0:
494          *colour_type = 2;
495          *bit_depth = 8;
496          return 1;
497 
498       case 2:
499          *colour_type = 3;
500          *bit_depth = 1;
501          return 1;
502 
503       case 3:
504          *colour_type = 4;
505          *bit_depth = 8;
506          return 1;
507 
508       case 4:
509          *colour_type = 6;
510          *bit_depth = 8;
511          return 1;
512 
513       default:
514          return 0;
515    }
516 }
517 
518 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
519 static unsigned int
sample(png_const_bytep row,png_byte colour_type,png_byte bit_depth,png_uint_32 x,unsigned int sample_index,int swap16,int littleendian)520 sample(png_const_bytep row, png_byte colour_type, png_byte bit_depth,
521     png_uint_32 x, unsigned int sample_index, int swap16, int littleendian)
522 {
523    png_uint_32 bit_index, result;
524 
525    /* Find a sample index for the desired sample: */
526    x *= bit_depth;
527    bit_index = x;
528 
529    if ((colour_type & 1) == 0) /* !palette */
530    {
531       if (colour_type & 2)
532          bit_index *= 3;
533 
534       if (colour_type & 4)
535          bit_index += x; /* Alpha channel */
536 
537       /* Multiple channels; select one: */
538       if (colour_type & (2+4))
539          bit_index += sample_index * bit_depth;
540    }
541 
542    /* Return the sample from the row as an integer. */
543    row += bit_index >> 3;
544    result = *row;
545 
546    if (bit_depth == 8)
547       return result;
548 
549    else if (bit_depth > 8)
550    {
551       if (swap16)
552          return (*++row << 8) + result;
553       else
554          return (result << 8) + *++row;
555    }
556 
557    /* Less than 8 bits per sample.  By default PNG has the big end of
558     * the egg on the left of the screen, but if littleendian is set
559     * then the big end is on the right.
560     */
561    bit_index &= 7;
562 
563    if (!littleendian)
564       bit_index = 8-bit_index-bit_depth;
565 
566    return (result >> bit_index) & ((1U<<bit_depth)-1);
567 }
568 #endif /* PNG_READ_TRANSFORMS_SUPPORTED */
569 
570 /* Copy a single pixel, of a given size, from one buffer to another -
571  * while this is basically bit addressed there is an implicit assumption
572  * that pixels 8 or more bits in size are byte aligned and that pixels
573  * do not otherwise cross byte boundaries.  (This is, so far as I know,
574  * universally true in bitmap computer graphics.  [JCB 20101212])
575  *
576  * NOTE: The to and from buffers may be the same.
577  */
578 static void
pixel_copy(png_bytep toBuffer,png_uint_32 toIndex,png_const_bytep fromBuffer,png_uint_32 fromIndex,unsigned int pixelSize,int littleendian)579 pixel_copy(png_bytep toBuffer, png_uint_32 toIndex,
580    png_const_bytep fromBuffer, png_uint_32 fromIndex, unsigned int pixelSize,
581    int littleendian)
582 {
583    /* Assume we can multiply by 'size' without overflow because we are
584     * just working in a single buffer.
585     */
586    toIndex *= pixelSize;
587    fromIndex *= pixelSize;
588    if (pixelSize < 8) /* Sub-byte */
589    {
590       /* Mask to select the location of the copied pixel: */
591       unsigned int destMask = ((1U<<pixelSize)-1) <<
592          (littleendian ? toIndex&7 : 8-pixelSize-(toIndex&7));
593       /* The following read the entire pixels and clears the extra: */
594       unsigned int destByte = toBuffer[toIndex >> 3] & ~destMask;
595       unsigned int sourceByte = fromBuffer[fromIndex >> 3];
596 
597       /* Don't rely on << or >> supporting '0' here, just in case: */
598       fromIndex &= 7;
599       if (littleendian)
600       {
601          if (fromIndex > 0) sourceByte >>= fromIndex;
602          if ((toIndex & 7) > 0) sourceByte <<= toIndex & 7;
603       }
604 
605       else
606       {
607          if (fromIndex > 0) sourceByte <<= fromIndex;
608          if ((toIndex & 7) > 0) sourceByte >>= toIndex & 7;
609       }
610 
611       toBuffer[toIndex >> 3] = (png_byte)(destByte | (sourceByte & destMask));
612    }
613    else /* One or more bytes */
614       memmove(toBuffer+(toIndex>>3), fromBuffer+(fromIndex>>3), pixelSize>>3);
615 }
616 
617 #ifdef PNG_READ_SUPPORTED
618 /* Copy a complete row of pixels, taking into account potential partial
619  * bytes at the end.
620  */
621 static void
row_copy(png_bytep toBuffer,png_const_bytep fromBuffer,unsigned int bitWidth,int littleendian)622 row_copy(png_bytep toBuffer, png_const_bytep fromBuffer, unsigned int bitWidth,
623       int littleendian)
624 {
625    memcpy(toBuffer, fromBuffer, bitWidth >> 3);
626 
627    if ((bitWidth & 7) != 0)
628    {
629       unsigned int mask;
630 
631       toBuffer += bitWidth >> 3;
632       fromBuffer += bitWidth >> 3;
633       if (littleendian)
634          mask = 0xff << (bitWidth & 7);
635       else
636          mask = 0xff >> (bitWidth & 7);
637       *toBuffer = (png_byte)((*toBuffer & mask) | (*fromBuffer & ~mask));
638    }
639 }
640 
641 /* Compare pixels - they are assumed to start at the first byte in the
642  * given buffers.
643  */
644 static int
pixel_cmp(png_const_bytep pa,png_const_bytep pb,png_uint_32 bit_width)645 pixel_cmp(png_const_bytep pa, png_const_bytep pb, png_uint_32 bit_width)
646 {
647 #if PNG_LIBPNG_VER < 10506
648    if (memcmp(pa, pb, bit_width>>3) == 0)
649    {
650       png_uint_32 p;
651 
652       if ((bit_width & 7) == 0) return 0;
653 
654       /* Ok, any differences? */
655       p = pa[bit_width >> 3];
656       p ^= pb[bit_width >> 3];
657 
658       if (p == 0) return 0;
659 
660       /* There are, but they may not be significant, remove the bits
661        * after the end (the low order bits in PNG.)
662        */
663       bit_width &= 7;
664       p >>= 8-bit_width;
665 
666       if (p == 0) return 0;
667    }
668 #else
669    /* From libpng-1.5.6 the overwrite should be fixed, so compare the trailing
670     * bits too:
671     */
672    if (memcmp(pa, pb, (bit_width+7)>>3) == 0)
673       return 0;
674 #endif
675 
676    /* Return the index of the changed byte. */
677    {
678       png_uint_32 where = 0;
679 
680       while (pa[where] == pb[where]) ++where;
681       return 1+where;
682    }
683 }
684 #endif /* PNG_READ_SUPPORTED */
685 
686 /*************************** BASIC PNG FILE WRITING ***************************/
687 /* A png_store takes data from the sequential writer or provides data
688  * to the sequential reader.  It can also store the result of a PNG
689  * write for later retrieval.
690  */
691 #define STORE_BUFFER_SIZE 500 /* arbitrary */
692 typedef struct png_store_buffer
693 {
694    struct png_store_buffer*  prev;    /* NOTE: stored in reverse order */
695    png_byte                  buffer[STORE_BUFFER_SIZE];
696 } png_store_buffer;
697 
698 #define FILE_NAME_SIZE 64
699 
700 typedef struct store_palette_entry /* record of a single palette entry */
701 {
702    png_byte red;
703    png_byte green;
704    png_byte blue;
705    png_byte alpha;
706 } store_palette_entry, store_palette[256];
707 
708 typedef struct png_store_file
709 {
710    struct png_store_file*  next;      /* as many as you like... */
711    char                    name[FILE_NAME_SIZE];
712    unsigned int            IDAT_bits; /* Number of bits in IDAT size */
713    png_uint_32             IDAT_size; /* Total size of IDAT data */
714    png_uint_32             id;        /* must be correct (see FILEID) */
715    png_size_t              datacount; /* In this (the last) buffer */
716    png_store_buffer        data;      /* Last buffer in file */
717    int                     npalette;  /* Number of entries in palette */
718    store_palette_entry*    palette;   /* May be NULL */
719 } png_store_file;
720 
721 /* The following is a pool of memory allocated by a single libpng read or write
722  * operation.
723  */
724 typedef struct store_pool
725 {
726    struct png_store    *store;   /* Back pointer */
727    struct store_memory *list;    /* List of allocated memory */
728    png_byte             mark[4]; /* Before and after data */
729 
730    /* Statistics for this run. */
731    png_alloc_size_t     max;     /* Maximum single allocation */
732    png_alloc_size_t     current; /* Current allocation */
733    png_alloc_size_t     limit;   /* Highest current allocation */
734    png_alloc_size_t     total;   /* Total allocation */
735 
736    /* Overall statistics (retained across successive runs). */
737    png_alloc_size_t     max_max;
738    png_alloc_size_t     max_limit;
739    png_alloc_size_t     max_total;
740 } store_pool;
741 
742 typedef struct png_store
743 {
744    /* For cexcept.h exception handling - simply store one of these;
745     * the context is a self pointer but it may point to a different
746     * png_store (in fact it never does in this program.)
747     */
748    struct exception_context
749                       exception_context;
750 
751    unsigned int       verbose :1;
752    unsigned int       treat_warnings_as_errors :1;
753    unsigned int       expect_error :1;
754    unsigned int       expect_warning :1;
755    unsigned int       saw_warning :1;
756    unsigned int       speed :1;
757    unsigned int       progressive :1; /* use progressive read */
758    unsigned int       validated :1;   /* used as a temporary flag */
759    int                nerrors;
760    int                nwarnings;
761    int                noptions;       /* number of options below: */
762    struct {
763       unsigned char   option;         /* option number, 0..30 */
764       unsigned char   setting;        /* setting (unset,invalid,on,off) */
765    }                  options[16];
766    char               test[128];      /* Name of test */
767    char               error[256];
768 
769    /* Share fields */
770    png_uint_32        chunklen; /* Length of chunk+overhead (chunkpos >= 8) */
771    png_uint_32        chunktype;/* Type of chunk (valid if chunkpos >= 4) */
772    png_uint_32        chunkpos; /* Position in chunk */
773    png_uint_32        IDAT_size;/* Accumulated IDAT size in .new */
774    unsigned int       IDAT_bits;/* Cache of the file store value */
775 
776    /* Read fields */
777    png_structp        pread;    /* Used to read a saved file */
778    png_infop          piread;
779    png_store_file*    current;  /* Set when reading */
780    png_store_buffer*  next;     /* Set when reading */
781    png_size_t         readpos;  /* Position in *next */
782    png_byte*          image;    /* Buffer for reading interlaced images */
783    png_size_t         cb_image; /* Size of this buffer */
784    png_size_t         cb_row;   /* Row size of the image(s) */
785    uLong              IDAT_crc;
786    png_uint_32        IDAT_len; /* Used when re-chunking IDAT chunks */
787    png_uint_32        IDAT_pos; /* Used when re-chunking IDAT chunks */
788    png_uint_32        image_h;  /* Number of rows in a single image */
789    store_pool         read_memory_pool;
790 
791    /* Write fields */
792    png_store_file*    saved;
793    png_structp        pwrite;   /* Used when writing a new file */
794    png_infop          piwrite;
795    png_size_t         writepos; /* Position in .new */
796    char               wname[FILE_NAME_SIZE];
797    png_store_buffer   new;      /* The end of the new PNG file being written. */
798    store_pool         write_memory_pool;
799    store_palette_entry* palette;
800    int                  npalette;
801 } png_store;
802 
803 /* Initialization and cleanup */
804 static void
store_pool_mark(png_bytep mark)805 store_pool_mark(png_bytep mark)
806 {
807    static png_uint_32 store_seed[2] = { 0x12345678, 1};
808 
809    make_four_random_bytes(store_seed, mark);
810 }
811 
812 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
813 /* Use this for random 32 bit values; this function makes sure the result is
814  * non-zero.
815  */
816 static png_uint_32
random_32(void)817 random_32(void)
818 {
819 
820    for (;;)
821    {
822       png_byte mark[4];
823       png_uint_32 result;
824 
825       store_pool_mark(mark);
826       result = png_get_uint_32(mark);
827 
828       if (result != 0)
829          return result;
830    }
831 }
832 #endif /* PNG_READ_SUPPORTED */
833 
834 static void
store_pool_init(png_store * ps,store_pool * pool)835 store_pool_init(png_store *ps, store_pool *pool)
836 {
837    memset(pool, 0, sizeof *pool);
838 
839    pool->store = ps;
840    pool->list = NULL;
841    pool->max = pool->current = pool->limit = pool->total = 0;
842    pool->max_max = pool->max_limit = pool->max_total = 0;
843    store_pool_mark(pool->mark);
844 }
845 
846 static void
store_init(png_store * ps)847 store_init(png_store* ps)
848 {
849    memset(ps, 0, sizeof *ps);
850    init_exception_context(&ps->exception_context);
851    store_pool_init(ps, &ps->read_memory_pool);
852    store_pool_init(ps, &ps->write_memory_pool);
853    ps->verbose = 0;
854    ps->treat_warnings_as_errors = 0;
855    ps->expect_error = 0;
856    ps->expect_warning = 0;
857    ps->saw_warning = 0;
858    ps->speed = 0;
859    ps->progressive = 0;
860    ps->validated = 0;
861    ps->nerrors = ps->nwarnings = 0;
862    ps->pread = NULL;
863    ps->piread = NULL;
864    ps->saved = ps->current = NULL;
865    ps->next = NULL;
866    ps->readpos = 0;
867    ps->image = NULL;
868    ps->cb_image = 0;
869    ps->cb_row = 0;
870    ps->image_h = 0;
871    ps->pwrite = NULL;
872    ps->piwrite = NULL;
873    ps->writepos = 0;
874    ps->chunkpos = 8;
875    ps->chunktype = 0;
876    ps->chunklen = 16;
877    ps->IDAT_size = 0;
878    ps->IDAT_bits = 0;
879    ps->new.prev = NULL;
880    ps->palette = NULL;
881    ps->npalette = 0;
882    ps->noptions = 0;
883 }
884 
885 static void
store_freebuffer(png_store_buffer * psb)886 store_freebuffer(png_store_buffer* psb)
887 {
888    if (psb->prev)
889    {
890       store_freebuffer(psb->prev);
891       free(psb->prev);
892       psb->prev = NULL;
893    }
894 }
895 
896 static void
store_freenew(png_store * ps)897 store_freenew(png_store *ps)
898 {
899    store_freebuffer(&ps->new);
900    ps->writepos = 0;
901    ps->chunkpos = 8;
902    ps->chunktype = 0;
903    ps->chunklen = 16;
904    ps->IDAT_size = 0;
905    ps->IDAT_bits = 0;
906    if (ps->palette != NULL)
907    {
908       free(ps->palette);
909       ps->palette = NULL;
910       ps->npalette = 0;
911    }
912 }
913 
914 static void
store_storenew(png_store * ps)915 store_storenew(png_store *ps)
916 {
917    png_store_buffer *pb;
918 
919    pb = voidcast(png_store_buffer*, malloc(sizeof *pb));
920 
921    if (pb == NULL)
922       png_error(ps->pwrite, "store new: OOM");
923 
924    *pb = ps->new;
925    ps->new.prev = pb;
926    ps->writepos = 0;
927 }
928 
929 static void
store_freefile(png_store_file ** ppf)930 store_freefile(png_store_file **ppf)
931 {
932    if (*ppf != NULL)
933    {
934       store_freefile(&(*ppf)->next);
935 
936       store_freebuffer(&(*ppf)->data);
937       (*ppf)->datacount = 0;
938       if ((*ppf)->palette != NULL)
939       {
940          free((*ppf)->palette);
941          (*ppf)->palette = NULL;
942          (*ppf)->npalette = 0;
943       }
944       free(*ppf);
945       *ppf = NULL;
946    }
947 }
948 
949 static unsigned int
bits_of(png_uint_32 num)950 bits_of(png_uint_32 num)
951 {
952    /* Return the number of bits in 'num' */
953    unsigned int b = 0;
954 
955    if (num & 0xffff0000U)  b += 16U, num >>= 16;
956    if (num & 0xff00U)      b += 8U, num >>= 8;
957    if (num & 0xf0U)        b += 4U, num >>= 4;
958    if (num & 0xcU)         b += 2U, num >>= 2;
959    if (num & 0x2U)         ++b, num >>= 1;
960    if (num)                ++b;
961 
962    return b; /* 0..32 */
963 }
964 
965 /* Main interface to file storeage, after writing a new PNG file (see the API
966  * below) call store_storefile to store the result with the given name and id.
967  */
968 static void
store_storefile(png_store * ps,png_uint_32 id)969 store_storefile(png_store *ps, png_uint_32 id)
970 {
971    png_store_file *pf;
972 
973    if (ps->chunkpos != 0U || ps->chunktype != 0U || ps->chunklen != 0U ||
974        ps->IDAT_size == 0)
975       png_error(ps->pwrite, "storefile: incomplete write");
976 
977    pf = voidcast(png_store_file*, malloc(sizeof *pf));
978    if (pf == NULL)
979       png_error(ps->pwrite, "storefile: OOM");
980    safecat(pf->name, sizeof pf->name, 0, ps->wname);
981    pf->id = id;
982    pf->data = ps->new;
983    pf->datacount = ps->writepos;
984    pf->IDAT_size = ps->IDAT_size;
985    pf->IDAT_bits = bits_of(ps->IDAT_size);
986    /* Because the IDAT always has zlib header stuff this must be true: */
987    if (pf->IDAT_bits == 0U)
988       png_error(ps->pwrite, "storefile: 0 sized IDAT");
989    ps->new.prev = NULL;
990    ps->writepos = 0;
991    ps->chunkpos = 8;
992    ps->chunktype = 0;
993    ps->chunklen = 16;
994    ps->IDAT_size = 0;
995    pf->palette = ps->palette;
996    pf->npalette = ps->npalette;
997    ps->palette = 0;
998    ps->npalette = 0;
999 
1000    /* And save it. */
1001    pf->next = ps->saved;
1002    ps->saved = pf;
1003 }
1004 
1005 /* Generate an error message (in the given buffer) */
1006 static size_t
store_message(png_store * ps,png_const_structp pp,char * buffer,size_t bufsize,size_t pos,const char * msg)1007 store_message(png_store *ps, png_const_structp pp, char *buffer, size_t bufsize,
1008    size_t pos, const char *msg)
1009 {
1010    if (pp != NULL && pp == ps->pread)
1011    {
1012       /* Reading a file */
1013       pos = safecat(buffer, bufsize, pos, "read: ");
1014 
1015       if (ps->current != NULL)
1016       {
1017          pos = safecat(buffer, bufsize, pos, ps->current->name);
1018          pos = safecat(buffer, bufsize, pos, sep);
1019       }
1020    }
1021 
1022    else if (pp != NULL && pp == ps->pwrite)
1023    {
1024       /* Writing a file */
1025       pos = safecat(buffer, bufsize, pos, "write: ");
1026       pos = safecat(buffer, bufsize, pos, ps->wname);
1027       pos = safecat(buffer, bufsize, pos, sep);
1028    }
1029 
1030    else
1031    {
1032       /* Neither reading nor writing (or a memory error in struct delete) */
1033       pos = safecat(buffer, bufsize, pos, "pngvalid: ");
1034    }
1035 
1036    if (ps->test[0] != 0)
1037    {
1038       pos = safecat(buffer, bufsize, pos, ps->test);
1039       pos = safecat(buffer, bufsize, pos, sep);
1040    }
1041    pos = safecat(buffer, bufsize, pos, msg);
1042    return pos;
1043 }
1044 
1045 /* Verbose output to the error stream: */
1046 static void
store_verbose(png_store * ps,png_const_structp pp,png_const_charp prefix,png_const_charp message)1047 store_verbose(png_store *ps, png_const_structp pp, png_const_charp prefix,
1048    png_const_charp message)
1049 {
1050    char buffer[512];
1051 
1052    if (prefix)
1053       fputs(prefix, stderr);
1054 
1055    (void)store_message(ps, pp, buffer, sizeof buffer, 0, message);
1056    fputs(buffer, stderr);
1057    fputc('\n', stderr);
1058 }
1059 
1060 /* Log an error or warning - the relevant count is always incremented. */
1061 static void
store_log(png_store * ps,png_const_structp pp,png_const_charp message,int is_error)1062 store_log(png_store* ps, png_const_structp pp, png_const_charp message,
1063    int is_error)
1064 {
1065    /* The warning is copied to the error buffer if there are no errors and it is
1066     * the first warning.  The error is copied to the error buffer if it is the
1067     * first error (overwriting any prior warnings).
1068     */
1069    if (is_error ? (ps->nerrors)++ == 0 :
1070        (ps->nwarnings)++ == 0 && ps->nerrors == 0)
1071       store_message(ps, pp, ps->error, sizeof ps->error, 0, message);
1072 
1073    if (ps->verbose)
1074       store_verbose(ps, pp, is_error ? "error: " : "warning: ", message);
1075 }
1076 
1077 #ifdef PNG_READ_SUPPORTED
1078 /* Internal error function, called with a png_store but no libpng stuff. */
1079 static void
internal_error(png_store * ps,png_const_charp message)1080 internal_error(png_store *ps, png_const_charp message)
1081 {
1082    store_log(ps, NULL, message, 1 /* error */);
1083 
1084    /* And finally throw an exception. */
1085    {
1086       struct exception_context *the_exception_context = &ps->exception_context;
1087       Throw ps;
1088    }
1089 }
1090 #endif /* PNG_READ_SUPPORTED */
1091 
1092 /* Functions to use as PNG callbacks. */
1093 static void PNGCBAPI
store_error(png_structp ppIn,png_const_charp message)1094 store_error(png_structp ppIn, png_const_charp message) /* PNG_NORETURN */
1095 {
1096    png_const_structp pp = ppIn;
1097    png_store *ps = voidcast(png_store*, png_get_error_ptr(pp));
1098 
1099    if (!ps->expect_error)
1100       store_log(ps, pp, message, 1 /* error */);
1101 
1102    /* And finally throw an exception. */
1103    {
1104       struct exception_context *the_exception_context = &ps->exception_context;
1105       Throw ps;
1106    }
1107 }
1108 
1109 static void PNGCBAPI
store_warning(png_structp ppIn,png_const_charp message)1110 store_warning(png_structp ppIn, png_const_charp message)
1111 {
1112    png_const_structp pp = ppIn;
1113    png_store *ps = voidcast(png_store*, png_get_error_ptr(pp));
1114 
1115    if (!ps->expect_warning)
1116       store_log(ps, pp, message, 0 /* warning */);
1117    else
1118       ps->saw_warning = 1;
1119 }
1120 
1121 /* These somewhat odd functions are used when reading an image to ensure that
1122  * the buffer is big enough, the png_structp is for errors.
1123  */
1124 /* Return a single row from the correct image. */
1125 static png_bytep
store_image_row(const png_store * ps,png_const_structp pp,int nImage,png_uint_32 y)1126 store_image_row(const png_store* ps, png_const_structp pp, int nImage,
1127    png_uint_32 y)
1128 {
1129    png_size_t coffset = (nImage * ps->image_h + y) * (ps->cb_row + 5) + 2;
1130 
1131    if (ps->image == NULL)
1132       png_error(pp, "no allocated image");
1133 
1134    if (coffset + ps->cb_row + 3 > ps->cb_image)
1135       png_error(pp, "image too small");
1136 
1137    return ps->image + coffset;
1138 }
1139 
1140 static void
store_image_free(png_store * ps,png_const_structp pp)1141 store_image_free(png_store *ps, png_const_structp pp)
1142 {
1143    if (ps->image != NULL)
1144    {
1145       png_bytep image = ps->image;
1146 
1147       if (image[-1] != 0xed || image[ps->cb_image] != 0xfe)
1148       {
1149          if (pp != NULL)
1150             png_error(pp, "png_store image overwrite (1)");
1151          else
1152             store_log(ps, NULL, "png_store image overwrite (2)", 1);
1153       }
1154 
1155       ps->image = NULL;
1156       ps->cb_image = 0;
1157       --image;
1158       free(image);
1159    }
1160 }
1161 
1162 static void
store_ensure_image(png_store * ps,png_const_structp pp,int nImages,png_size_t cbRow,png_uint_32 cRows)1163 store_ensure_image(png_store *ps, png_const_structp pp, int nImages,
1164    png_size_t cbRow, png_uint_32 cRows)
1165 {
1166    png_size_t cb = nImages * cRows * (cbRow + 5);
1167 
1168    if (ps->cb_image < cb)
1169    {
1170       png_bytep image;
1171 
1172       store_image_free(ps, pp);
1173 
1174       /* The buffer is deliberately mis-aligned. */
1175       image = voidcast(png_bytep, malloc(cb+2));
1176       if (image == NULL)
1177       {
1178          /* Called from the startup - ignore the error for the moment. */
1179          if (pp == NULL)
1180             return;
1181 
1182          png_error(pp, "OOM allocating image buffer");
1183       }
1184 
1185       /* These magic tags are used to detect overwrites above. */
1186       ++image;
1187       image[-1] = 0xed;
1188       image[cb] = 0xfe;
1189 
1190       ps->image = image;
1191       ps->cb_image = cb;
1192    }
1193 
1194    /* We have an adequate sized image; lay out the rows.  There are 2 bytes at
1195     * the start and three at the end of each (this ensures that the row
1196     * alignment starts out odd - 2+1 and changes for larger images on each row.)
1197     */
1198    ps->cb_row = cbRow;
1199    ps->image_h = cRows;
1200 
1201    /* For error checking, the whole buffer is set to 10110010 (0xb2 - 178).
1202     * This deliberately doesn't match the bits in the size test image which are
1203     * outside the image; these are set to 0xff (all 1).  To make the row
1204     * comparison work in the 'size' test case the size rows are pre-initialized
1205     * to the same value prior to calling 'standard_row'.
1206     */
1207    memset(ps->image, 178, cb);
1208 
1209    /* Then put in the marks. */
1210    while (--nImages >= 0)
1211    {
1212       png_uint_32 y;
1213 
1214       for (y=0; y<cRows; ++y)
1215       {
1216          png_bytep row = store_image_row(ps, pp, nImages, y);
1217 
1218          /* The markers: */
1219          row[-2] = 190;
1220          row[-1] = 239;
1221          row[cbRow] = 222;
1222          row[cbRow+1] = 173;
1223          row[cbRow+2] = 17;
1224       }
1225    }
1226 }
1227 
1228 #ifdef PNG_READ_SUPPORTED
1229 static void
store_image_check(const png_store * ps,png_const_structp pp,int iImage)1230 store_image_check(const png_store* ps, png_const_structp pp, int iImage)
1231 {
1232    png_const_bytep image = ps->image;
1233 
1234    if (image[-1] != 0xed || image[ps->cb_image] != 0xfe)
1235       png_error(pp, "image overwrite");
1236    else
1237    {
1238       png_size_t cbRow = ps->cb_row;
1239       png_uint_32 rows = ps->image_h;
1240 
1241       image += iImage * (cbRow+5) * ps->image_h;
1242 
1243       image += 2; /* skip image first row markers */
1244 
1245       while (rows-- > 0)
1246       {
1247          if (image[-2] != 190 || image[-1] != 239)
1248             png_error(pp, "row start overwritten");
1249 
1250          if (image[cbRow] != 222 || image[cbRow+1] != 173 ||
1251             image[cbRow+2] != 17)
1252             png_error(pp, "row end overwritten");
1253 
1254          image += cbRow+5;
1255       }
1256    }
1257 }
1258 #endif /* PNG_READ_SUPPORTED */
1259 
1260 static int
valid_chunktype(png_uint_32 chunktype)1261 valid_chunktype(png_uint_32 chunktype)
1262 {
1263    /* Each byte in the chunk type must be in one of the ranges 65..90, 97..122
1264     * (both inclusive), so:
1265     */
1266    unsigned int i;
1267 
1268    for (i=0; i<4; ++i)
1269    {
1270       unsigned int c = chunktype & 0xffU;
1271 
1272       if (!((c >= 65U && c <= 90U) || (c >= 97U && c <= 122U)))
1273          return 0;
1274 
1275       chunktype >>= 8;
1276    }
1277 
1278    return 1; /* It's valid */
1279 }
1280 
1281 static void PNGCBAPI
store_write(png_structp ppIn,png_bytep pb,png_size_t st)1282 store_write(png_structp ppIn, png_bytep pb, png_size_t st)
1283 {
1284    png_const_structp pp = ppIn;
1285    png_store *ps = voidcast(png_store*, png_get_io_ptr(pp));
1286    size_t writepos = ps->writepos;
1287    png_uint_32 chunkpos = ps->chunkpos;
1288    png_uint_32 chunktype = ps->chunktype;
1289    png_uint_32 chunklen = ps->chunklen;
1290 
1291    if (ps->pwrite != pp)
1292       png_error(pp, "store state damaged");
1293 
1294    /* Technically this is legal, but in practice libpng never writes more than
1295     * the maximum chunk size at once so if it happens something weird has
1296     * changed inside libpng (probably).
1297     */
1298    if (st > 0x7fffffffU)
1299       png_error(pp, "unexpected write size");
1300 
1301    /* Now process the bytes to be written.  Do this in units of the space in the
1302     * output (write) buffer or, at the start 4 bytes for the chunk type and
1303     * length limited in any case by the amount of data.
1304     */
1305    while (st > 0)
1306    {
1307       if (writepos >= STORE_BUFFER_SIZE)
1308          store_storenew(ps), writepos = 0;
1309 
1310       if (chunkpos < 4)
1311       {
1312          png_byte b = *pb++;
1313          --st;
1314          chunklen = (chunklen << 8) + b;
1315          ps->new.buffer[writepos++] = b;
1316          ++chunkpos;
1317       }
1318 
1319       else if (chunkpos < 8)
1320       {
1321          png_byte b = *pb++;
1322          --st;
1323          chunktype = (chunktype << 8) + b;
1324          ps->new.buffer[writepos++] = b;
1325 
1326          if (++chunkpos == 8)
1327          {
1328             chunklen &= 0xffffffffU;
1329             if (chunklen > 0x7fffffffU)
1330                png_error(pp, "chunk length too great");
1331 
1332             chunktype &= 0xffffffffU;
1333             if (chunktype == CHUNK_IDAT)
1334             {
1335                if (chunklen > ~ps->IDAT_size)
1336                   png_error(pp, "pngvalid internal image too large");
1337 
1338                ps->IDAT_size += chunklen;
1339             }
1340 
1341             else if (!valid_chunktype(chunktype))
1342                png_error(pp, "invalid chunk type");
1343 
1344             chunklen += 12; /* for header and CRC */
1345          }
1346       }
1347 
1348       else /* chunkpos >= 8 */
1349       {
1350          png_size_t cb = st;
1351 
1352          if (cb > STORE_BUFFER_SIZE - writepos)
1353             cb = STORE_BUFFER_SIZE - writepos;
1354 
1355          if (cb  > chunklen - chunkpos/* bytes left in chunk*/)
1356             cb = (png_size_t)/*SAFE*/(chunklen - chunkpos);
1357 
1358          memcpy(ps->new.buffer + writepos, pb, cb);
1359          chunkpos += (png_uint_32)/*SAFE*/cb;
1360          pb += cb;
1361          writepos += cb;
1362          st -= cb;
1363 
1364          if (chunkpos >= chunklen) /* must be equal */
1365             chunkpos = chunktype = chunklen = 0;
1366       }
1367    } /* while (st > 0) */
1368 
1369    ps->writepos = writepos;
1370    ps->chunkpos = chunkpos;
1371    ps->chunktype = chunktype;
1372    ps->chunklen = chunklen;
1373 }
1374 
1375 static void PNGCBAPI
store_flush(png_structp ppIn)1376 store_flush(png_structp ppIn)
1377 {
1378    UNUSED(ppIn) /*DOES NOTHING*/
1379 }
1380 
1381 #ifdef PNG_READ_SUPPORTED
1382 static size_t
store_read_buffer_size(png_store * ps)1383 store_read_buffer_size(png_store *ps)
1384 {
1385    /* Return the bytes available for read in the current buffer. */
1386    if (ps->next != &ps->current->data)
1387       return STORE_BUFFER_SIZE;
1388 
1389    return ps->current->datacount;
1390 }
1391 
1392 /* Return total bytes available for read. */
1393 static size_t
store_read_buffer_avail(png_store * ps)1394 store_read_buffer_avail(png_store *ps)
1395 {
1396    if (ps->current != NULL && ps->next != NULL)
1397    {
1398       png_store_buffer *next = &ps->current->data;
1399       size_t cbAvail = ps->current->datacount;
1400 
1401       while (next != ps->next && next != NULL)
1402       {
1403          next = next->prev;
1404          cbAvail += STORE_BUFFER_SIZE;
1405       }
1406 
1407       if (next != ps->next)
1408          png_error(ps->pread, "buffer read error");
1409 
1410       if (cbAvail > ps->readpos)
1411          return cbAvail - ps->readpos;
1412    }
1413 
1414    return 0;
1415 }
1416 
1417 static int
store_read_buffer_next(png_store * ps)1418 store_read_buffer_next(png_store *ps)
1419 {
1420    png_store_buffer *pbOld = ps->next;
1421    png_store_buffer *pbNew = &ps->current->data;
1422    if (pbOld != pbNew)
1423    {
1424       while (pbNew != NULL && pbNew->prev != pbOld)
1425          pbNew = pbNew->prev;
1426 
1427       if (pbNew != NULL)
1428       {
1429          ps->next = pbNew;
1430          ps->readpos = 0;
1431          return 1;
1432       }
1433 
1434       png_error(ps->pread, "buffer lost");
1435    }
1436 
1437    return 0; /* EOF or error */
1438 }
1439 
1440 /* Need separate implementation and callback to allow use of the same code
1441  * during progressive read, where the io_ptr is set internally by libpng.
1442  */
1443 static void
store_read_imp(png_store * ps,png_bytep pb,png_size_t st)1444 store_read_imp(png_store *ps, png_bytep pb, png_size_t st)
1445 {
1446    if (ps->current == NULL || ps->next == NULL)
1447       png_error(ps->pread, "store state damaged");
1448 
1449    while (st > 0)
1450    {
1451       size_t cbAvail = store_read_buffer_size(ps) - ps->readpos;
1452 
1453       if (cbAvail > 0)
1454       {
1455          if (cbAvail > st) cbAvail = st;
1456          memcpy(pb, ps->next->buffer + ps->readpos, cbAvail);
1457          st -= cbAvail;
1458          pb += cbAvail;
1459          ps->readpos += cbAvail;
1460       }
1461 
1462       else if (!store_read_buffer_next(ps))
1463          png_error(ps->pread, "read beyond end of file");
1464    }
1465 }
1466 
1467 static png_size_t
store_read_chunk(png_store * ps,png_bytep pb,const png_size_t max,const png_size_t min)1468 store_read_chunk(png_store *ps, png_bytep pb, const png_size_t max,
1469       const png_size_t min)
1470 {
1471    png_uint_32 chunklen = ps->chunklen;
1472    png_uint_32 chunktype = ps->chunktype;
1473    png_uint_32 chunkpos = ps->chunkpos;
1474    png_size_t st = max;
1475 
1476    if (st > 0) do
1477    {
1478       if (chunkpos >= chunklen) /* end of last chunk */
1479       {
1480          png_byte buffer[8];
1481 
1482          /* Read the header of the next chunk: */
1483          store_read_imp(ps, buffer, 8U);
1484          chunklen = png_get_uint_32(buffer) + 12U;
1485          chunktype = png_get_uint_32(buffer+4U);
1486          chunkpos = 0U; /* Position read so far */
1487       }
1488 
1489       if (chunktype == CHUNK_IDAT)
1490       {
1491          png_uint_32 IDAT_pos = ps->IDAT_pos;
1492          png_uint_32 IDAT_len = ps->IDAT_len;
1493          png_uint_32 IDAT_size = ps->IDAT_size;
1494 
1495          /* The IDAT headers are constructed here; skip the input header. */
1496          if (chunkpos < 8U)
1497             chunkpos = 8U;
1498 
1499          if (IDAT_pos == IDAT_len)
1500          {
1501             png_byte random = random_byte();
1502 
1503             /* Make a new IDAT chunk, if IDAT_len is 0 this is the first IDAT,
1504              * if IDAT_size is 0 this is the end.  At present this is set up
1505              * using a random number so that there is a 25% chance before
1506              * the start of the first IDAT chunk being 0 length.
1507              */
1508             if (IDAT_len == 0U) /* First IDAT */
1509             {
1510                switch (random & 3U)
1511                {
1512                   case 0U: IDAT_len = 12U; break; /* 0 bytes */
1513                   case 1U: IDAT_len = 13U; break; /* 1 byte */
1514                   default: IDAT_len = random_u32();
1515                            IDAT_len %= IDAT_size;
1516                            IDAT_len += 13U; /* 1..IDAT_size bytes */
1517                            break;
1518                }
1519             }
1520 
1521             else if (IDAT_size == 0U) /* all IDAT data read */
1522             {
1523                /* The last (IDAT) chunk should be positioned at the CRC now: */
1524                if (chunkpos != chunklen-4U)
1525                   png_error(ps->pread, "internal: IDAT size mismatch");
1526 
1527                /* The only option here is to add a zero length IDAT, this
1528                 * happens 25% of the time.  Because of the check above
1529                 * chunklen-4U-chunkpos must be zero, we just need to skip the
1530                 * CRC now.
1531                 */
1532                if ((random & 3U) == 0U)
1533                   IDAT_len = 12U; /* Output another 0 length IDAT */
1534 
1535                else
1536                {
1537                   /* End of IDATs, skip the CRC to make the code above load the
1538                    * next chunk header next time round.
1539                    */
1540                   png_byte buffer[4];
1541 
1542                   store_read_imp(ps, buffer, 4U);
1543                   chunkpos += 4U;
1544                   ps->IDAT_pos = IDAT_pos;
1545                   ps->IDAT_len = IDAT_len;
1546                   ps->IDAT_size = 0U;
1547                   continue; /* Read the next chunk */
1548                }
1549             }
1550 
1551             else
1552             {
1553                /* Middle of IDATs, use 'random' to determine the number of bits
1554                 * to use in the IDAT length.
1555                 */
1556                IDAT_len = random_u32();
1557                IDAT_len &= (1U << (1U + random % ps->IDAT_bits)) - 1U;
1558                if (IDAT_len > IDAT_size)
1559                   IDAT_len = IDAT_size;
1560                IDAT_len += 12U; /* zero bytes may occur */
1561             }
1562 
1563             IDAT_pos = 0U;
1564             ps->IDAT_crc = 0x35af061e; /* Ie: crc32(0UL, "IDAT", 4) */
1565          } /* IDAT_pos == IDAT_len */
1566 
1567          if (IDAT_pos < 8U) /* Return the header */ do
1568          {
1569             png_uint_32 b;
1570             unsigned int shift;
1571 
1572             if (IDAT_pos < 4U)
1573                b = IDAT_len - 12U;
1574 
1575             else
1576                b = CHUNK_IDAT;
1577 
1578             shift = 3U & IDAT_pos;
1579             ++IDAT_pos;
1580 
1581             if (shift < 3U)
1582                b >>= 8U*(3U-shift);
1583 
1584             *pb++ = 0xffU & b;
1585          }
1586          while (--st > 0 && IDAT_pos < 8);
1587 
1588          else if (IDAT_pos < IDAT_len - 4U) /* I.e not the CRC */
1589          {
1590             if (chunkpos < chunklen-4U)
1591             {
1592                uInt avail = (uInt)-1;
1593 
1594                if (avail > (IDAT_len-4U) - IDAT_pos)
1595                   avail = (uInt)/*SAFE*/((IDAT_len-4U) - IDAT_pos);
1596 
1597                if (avail > st)
1598                   avail = (uInt)/*SAFE*/st;
1599 
1600                if (avail > (chunklen-4U) - chunkpos)
1601                   avail = (uInt)/*SAFE*/((chunklen-4U) - chunkpos);
1602 
1603                store_read_imp(ps, pb, avail);
1604                ps->IDAT_crc = crc32(ps->IDAT_crc, pb, avail);
1605                pb += (png_size_t)/*SAFE*/avail;
1606                st -= (png_size_t)/*SAFE*/avail;
1607                chunkpos += (png_uint_32)/*SAFE*/avail;
1608                IDAT_size -= (png_uint_32)/*SAFE*/avail;
1609                IDAT_pos += (png_uint_32)/*SAFE*/avail;
1610             }
1611 
1612             else /* skip the input CRC */
1613             {
1614                png_byte buffer[4];
1615 
1616                store_read_imp(ps, buffer, 4U);
1617                chunkpos += 4U;
1618             }
1619          }
1620 
1621          else /* IDAT crc */ do
1622          {
1623             uLong b = ps->IDAT_crc;
1624             unsigned int shift = (IDAT_len - IDAT_pos); /* 4..1 */
1625             ++IDAT_pos;
1626 
1627             if (shift > 1U)
1628                b >>= 8U*(shift-1U);
1629 
1630             *pb++ = 0xffU & b;
1631          }
1632          while (--st > 0 && IDAT_pos < IDAT_len);
1633 
1634          ps->IDAT_pos = IDAT_pos;
1635          ps->IDAT_len = IDAT_len;
1636          ps->IDAT_size = IDAT_size;
1637       }
1638 
1639       else /* !IDAT */
1640       {
1641          /* If there is still some pending IDAT data after the IDAT chunks have
1642           * been processed there is a problem:
1643           */
1644          if (ps->IDAT_len > 0 && ps->IDAT_size > 0)
1645             png_error(ps->pread, "internal: missing IDAT data");
1646 
1647          if (chunktype == CHUNK_IEND && ps->IDAT_len == 0U)
1648             png_error(ps->pread, "internal: missing IDAT");
1649 
1650          if (chunkpos < 8U) /* Return the header */ do
1651          {
1652             png_uint_32 b;
1653             unsigned int shift;
1654 
1655             if (chunkpos < 4U)
1656                b = chunklen - 12U;
1657 
1658             else
1659                b = chunktype;
1660 
1661             shift = 3U & chunkpos;
1662             ++chunkpos;
1663 
1664             if (shift < 3U)
1665                b >>= 8U*(3U-shift);
1666 
1667             *pb++ = 0xffU & b;
1668          }
1669          while (--st > 0 && chunkpos < 8);
1670 
1671          else /* Return chunk bytes, including the CRC */
1672          {
1673             png_size_t avail = st;
1674 
1675             if (avail > chunklen - chunkpos)
1676                avail = (png_size_t)/*SAFE*/(chunklen - chunkpos);
1677 
1678             store_read_imp(ps, pb, avail);
1679             pb += avail;
1680             st -= avail;
1681             chunkpos += (png_uint_32)/*SAFE*/avail;
1682 
1683             /* Check for end of chunk and end-of-file; don't try to read a new
1684              * chunk header at this point unless instructed to do so by 'min'.
1685              */
1686             if (chunkpos >= chunklen && max-st >= min &&
1687                      store_read_buffer_avail(ps) == 0)
1688                break;
1689          }
1690       } /* !IDAT */
1691    }
1692    while (st > 0);
1693 
1694    ps->chunklen = chunklen;
1695    ps->chunktype = chunktype;
1696    ps->chunkpos = chunkpos;
1697 
1698    return st; /* space left */
1699 }
1700 
1701 static void PNGCBAPI
store_read(png_structp ppIn,png_bytep pb,png_size_t st)1702 store_read(png_structp ppIn, png_bytep pb, png_size_t st)
1703 {
1704    png_const_structp pp = ppIn;
1705    png_store *ps = voidcast(png_store*, png_get_io_ptr(pp));
1706 
1707    if (ps == NULL || ps->pread != pp)
1708       png_error(pp, "bad store read call");
1709 
1710    store_read_chunk(ps, pb, st, st);
1711 }
1712 
1713 static void
store_progressive_read(png_store * ps,png_structp pp,png_infop pi)1714 store_progressive_read(png_store *ps, png_structp pp, png_infop pi)
1715 {
1716    if (ps->pread != pp || ps->current == NULL || ps->next == NULL)
1717       png_error(pp, "store state damaged (progressive)");
1718 
1719    /* This is another Horowitz and Hill random noise generator.  In this case
1720     * the aim is to stress the progressive reader with truly horrible variable
1721     * buffer sizes in the range 1..500, so a sequence of 9 bit random numbers
1722     * is generated.  We could probably just count from 1 to 32767 and get as
1723     * good a result.
1724     */
1725    while (store_read_buffer_avail(ps) > 0)
1726    {
1727       static png_uint_32 noise = 2;
1728       png_size_t cb;
1729       png_byte buffer[512];
1730 
1731       /* Generate 15 more bits of stuff: */
1732       noise = (noise << 9) | ((noise ^ (noise >> (9-5))) & 0x1ff);
1733       cb = noise & 0x1ff;
1734       cb -= store_read_chunk(ps, buffer, cb, 1);
1735       png_process_data(pp, pi, buffer, cb);
1736    }
1737 }
1738 #endif /* PNG_READ_SUPPORTED */
1739 
1740 /* The caller must fill this in: */
1741 static store_palette_entry *
store_write_palette(png_store * ps,int npalette)1742 store_write_palette(png_store *ps, int npalette)
1743 {
1744    if (ps->pwrite == NULL)
1745       store_log(ps, NULL, "attempt to write palette without write stream", 1);
1746 
1747    if (ps->palette != NULL)
1748       png_error(ps->pwrite, "multiple store_write_palette calls");
1749 
1750    /* This function can only return NULL if called with '0'! */
1751    if (npalette > 0)
1752    {
1753       ps->palette = voidcast(store_palette_entry*, malloc(npalette *
1754          sizeof *ps->palette));
1755 
1756       if (ps->palette == NULL)
1757          png_error(ps->pwrite, "store new palette: OOM");
1758 
1759       ps->npalette = npalette;
1760    }
1761 
1762    return ps->palette;
1763 }
1764 
1765 #ifdef PNG_READ_SUPPORTED
1766 static store_palette_entry *
store_current_palette(png_store * ps,int * npalette)1767 store_current_palette(png_store *ps, int *npalette)
1768 {
1769    /* This is an internal error (the call has been made outside a read
1770     * operation.)
1771     */
1772    if (ps->current == NULL)
1773    {
1774       store_log(ps, ps->pread, "no current stream for palette", 1);
1775       return NULL;
1776    }
1777 
1778    /* The result may be null if there is no palette. */
1779    *npalette = ps->current->npalette;
1780    return ps->current->palette;
1781 }
1782 #endif /* PNG_READ_SUPPORTED */
1783 
1784 /***************************** MEMORY MANAGEMENT*** ***************************/
1785 #ifdef PNG_USER_MEM_SUPPORTED
1786 /* A store_memory is simply the header for an allocated block of memory.  The
1787  * pointer returned to libpng is just after the end of the header block, the
1788  * allocated memory is followed by a second copy of the 'mark'.
1789  */
1790 typedef struct store_memory
1791 {
1792    store_pool          *pool;    /* Originating pool */
1793    struct store_memory *next;    /* Singly linked list */
1794    png_alloc_size_t     size;    /* Size of memory allocated */
1795    png_byte             mark[4]; /* ID marker */
1796 } store_memory;
1797 
1798 /* Handle a fatal error in memory allocation.  This calls png_error if the
1799  * libpng struct is non-NULL, else it outputs a message and returns.  This means
1800  * that a memory problem while libpng is running will abort (png_error) the
1801  * handling of particular file while one in cleanup (after the destroy of the
1802  * struct has returned) will simply keep going and free (or attempt to free)
1803  * all the memory.
1804  */
1805 static void
store_pool_error(png_store * ps,png_const_structp pp,const char * msg)1806 store_pool_error(png_store *ps, png_const_structp pp, const char *msg)
1807 {
1808    if (pp != NULL)
1809       png_error(pp, msg);
1810 
1811    /* Else we have to do it ourselves.  png_error eventually calls store_log,
1812     * above.  store_log accepts a NULL png_structp - it just changes what gets
1813     * output by store_message.
1814     */
1815    store_log(ps, pp, msg, 1 /* error */);
1816 }
1817 
1818 static void
store_memory_free(png_const_structp pp,store_pool * pool,store_memory * memory)1819 store_memory_free(png_const_structp pp, store_pool *pool, store_memory *memory)
1820 {
1821    /* Note that pp may be NULL (see store_pool_delete below), the caller has
1822     * found 'memory' in pool->list *and* unlinked this entry, so this is a valid
1823     * pointer (for sure), but the contents may have been trashed.
1824     */
1825    if (memory->pool != pool)
1826       store_pool_error(pool->store, pp, "memory corrupted (pool)");
1827 
1828    else if (memcmp(memory->mark, pool->mark, sizeof memory->mark) != 0)
1829       store_pool_error(pool->store, pp, "memory corrupted (start)");
1830 
1831    /* It should be safe to read the size field now. */
1832    else
1833    {
1834       png_alloc_size_t cb = memory->size;
1835 
1836       if (cb > pool->max)
1837          store_pool_error(pool->store, pp, "memory corrupted (size)");
1838 
1839       else if (memcmp((png_bytep)(memory+1)+cb, pool->mark, sizeof pool->mark)
1840          != 0)
1841          store_pool_error(pool->store, pp, "memory corrupted (end)");
1842 
1843       /* Finally give the library a chance to find problems too: */
1844       else
1845          {
1846          pool->current -= cb;
1847          free(memory);
1848          }
1849    }
1850 }
1851 
1852 static void
store_pool_delete(png_store * ps,store_pool * pool)1853 store_pool_delete(png_store *ps, store_pool *pool)
1854 {
1855    if (pool->list != NULL)
1856    {
1857       fprintf(stderr, "%s: %s %s: memory lost (list follows):\n", ps->test,
1858          pool == &ps->read_memory_pool ? "read" : "write",
1859          pool == &ps->read_memory_pool ? (ps->current != NULL ?
1860             ps->current->name : "unknown file") : ps->wname);
1861       ++ps->nerrors;
1862 
1863       do
1864       {
1865          store_memory *next = pool->list;
1866          pool->list = next->next;
1867          next->next = NULL;
1868 
1869          fprintf(stderr, "\t%lu bytes @ %p\n",
1870              (unsigned long)next->size, (const void*)(next+1));
1871          /* The NULL means this will always return, even if the memory is
1872           * corrupted.
1873           */
1874          store_memory_free(NULL, pool, next);
1875       }
1876       while (pool->list != NULL);
1877    }
1878 
1879    /* And reset the other fields too for the next time. */
1880    if (pool->max > pool->max_max) pool->max_max = pool->max;
1881    pool->max = 0;
1882    if (pool->current != 0) /* unexpected internal error */
1883       fprintf(stderr, "%s: %s %s: memory counter mismatch (internal error)\n",
1884          ps->test, pool == &ps->read_memory_pool ? "read" : "write",
1885          pool == &ps->read_memory_pool ? (ps->current != NULL ?
1886             ps->current->name : "unknown file") : ps->wname);
1887    pool->current = 0;
1888 
1889    if (pool->limit > pool->max_limit)
1890       pool->max_limit = pool->limit;
1891 
1892    pool->limit = 0;
1893 
1894    if (pool->total > pool->max_total)
1895       pool->max_total = pool->total;
1896 
1897    pool->total = 0;
1898 
1899    /* Get a new mark too. */
1900    store_pool_mark(pool->mark);
1901 }
1902 
1903 /* The memory callbacks: */
1904 static png_voidp PNGCBAPI
store_malloc(png_structp ppIn,png_alloc_size_t cb)1905 store_malloc(png_structp ppIn, png_alloc_size_t cb)
1906 {
1907    png_const_structp pp = ppIn;
1908    store_pool *pool = voidcast(store_pool*, png_get_mem_ptr(pp));
1909    store_memory *new = voidcast(store_memory*, malloc(cb + (sizeof *new) +
1910       (sizeof pool->mark)));
1911 
1912    if (new != NULL)
1913    {
1914       if (cb > pool->max)
1915          pool->max = cb;
1916 
1917       pool->current += cb;
1918 
1919       if (pool->current > pool->limit)
1920          pool->limit = pool->current;
1921 
1922       pool->total += cb;
1923 
1924       new->size = cb;
1925       memcpy(new->mark, pool->mark, sizeof new->mark);
1926       memcpy((png_byte*)(new+1) + cb, pool->mark, sizeof pool->mark);
1927       new->pool = pool;
1928       new->next = pool->list;
1929       pool->list = new;
1930       ++new;
1931    }
1932 
1933    else
1934    {
1935       /* NOTE: the PNG user malloc function cannot use the png_ptr it is passed
1936        * other than to retrieve the allocation pointer!  libpng calls the
1937        * store_malloc callback in two basic cases:
1938        *
1939        * 1) From png_malloc; png_malloc will do a png_error itself if NULL is
1940        *    returned.
1941        * 2) From png_struct or png_info structure creation; png_malloc is
1942        *    to return so cleanup can be performed.
1943        *
1944        * To handle this store_malloc can log a message, but can't do anything
1945        * else.
1946        */
1947       store_log(pool->store, pp, "out of memory", 1 /* is_error */);
1948    }
1949 
1950    return new;
1951 }
1952 
1953 static void PNGCBAPI
store_free(png_structp ppIn,png_voidp memory)1954 store_free(png_structp ppIn, png_voidp memory)
1955 {
1956    png_const_structp pp = ppIn;
1957    store_pool *pool = voidcast(store_pool*, png_get_mem_ptr(pp));
1958    store_memory *this = voidcast(store_memory*, memory), **test;
1959 
1960    /* Because libpng calls store_free with a dummy png_struct when deleting
1961     * png_struct or png_info via png_destroy_struct_2 it is necessary to check
1962     * the passed in png_structp to ensure it is valid, and not pass it to
1963     * png_error if it is not.
1964     */
1965    if (pp != pool->store->pread && pp != pool->store->pwrite)
1966       pp = NULL;
1967 
1968    /* First check that this 'memory' really is valid memory - it must be in the
1969     * pool list.  If it is, use the shared memory_free function to free it.
1970     */
1971    --this;
1972    for (test = &pool->list; *test != this; test = &(*test)->next)
1973    {
1974       if (*test == NULL)
1975       {
1976          store_pool_error(pool->store, pp, "bad pointer to free");
1977          return;
1978       }
1979    }
1980 
1981    /* Unlink this entry, *test == this. */
1982    *test = this->next;
1983    this->next = NULL;
1984    store_memory_free(pp, pool, this);
1985 }
1986 #endif /* PNG_USER_MEM_SUPPORTED */
1987 
1988 /* Setup functions. */
1989 /* Cleanup when aborting a write or after storing the new file. */
1990 static void
store_write_reset(png_store * ps)1991 store_write_reset(png_store *ps)
1992 {
1993    if (ps->pwrite != NULL)
1994    {
1995       anon_context(ps);
1996 
1997       Try
1998          png_destroy_write_struct(&ps->pwrite, &ps->piwrite);
1999 
2000       Catch_anonymous
2001       {
2002          /* memory corruption: continue. */
2003       }
2004 
2005       ps->pwrite = NULL;
2006       ps->piwrite = NULL;
2007    }
2008 
2009    /* And make sure that all the memory has been freed - this will output
2010     * spurious errors in the case of memory corruption above, but this is safe.
2011     */
2012 #  ifdef PNG_USER_MEM_SUPPORTED
2013       store_pool_delete(ps, &ps->write_memory_pool);
2014 #  endif
2015 
2016    store_freenew(ps);
2017 }
2018 
2019 /* The following is the main write function, it returns a png_struct and,
2020  * optionally, a png_info suitable for writiing a new PNG file.  Use
2021  * store_storefile above to record this file after it has been written.  The
2022  * returned libpng structures as destroyed by store_write_reset above.
2023  */
2024 static png_structp
set_store_for_write(png_store * ps,png_infopp ppi,const char * name)2025 set_store_for_write(png_store *ps, png_infopp ppi, const char *name)
2026 {
2027    anon_context(ps);
2028 
2029    Try
2030    {
2031       if (ps->pwrite != NULL)
2032          png_error(ps->pwrite, "write store already in use");
2033 
2034       store_write_reset(ps);
2035       safecat(ps->wname, sizeof ps->wname, 0, name);
2036 
2037       /* Don't do the slow memory checks if doing a speed test, also if user
2038        * memory is not supported we can't do it anyway.
2039        */
2040 #     ifdef PNG_USER_MEM_SUPPORTED
2041          if (!ps->speed)
2042             ps->pwrite = png_create_write_struct_2(PNG_LIBPNG_VER_STRING,
2043                ps, store_error, store_warning, &ps->write_memory_pool,
2044                store_malloc, store_free);
2045 
2046          else
2047 #     endif
2048          ps->pwrite = png_create_write_struct(PNG_LIBPNG_VER_STRING,
2049             ps, store_error, store_warning);
2050 
2051       png_set_write_fn(ps->pwrite, ps, store_write, store_flush);
2052 
2053 #     ifdef PNG_SET_OPTION_SUPPORTED
2054          {
2055             int opt;
2056             for (opt=0; opt<ps->noptions; ++opt)
2057                if (png_set_option(ps->pwrite, ps->options[opt].option,
2058                   ps->options[opt].setting) == PNG_OPTION_INVALID)
2059                   png_error(ps->pwrite, "png option invalid");
2060          }
2061 #     endif
2062 
2063       if (ppi != NULL)
2064          *ppi = ps->piwrite = png_create_info_struct(ps->pwrite);
2065    }
2066 
2067    Catch_anonymous
2068       return NULL;
2069 
2070    return ps->pwrite;
2071 }
2072 
2073 /* Cleanup when finished reading (either due to error or in the success case).
2074  * This routine exists even when there is no read support to make the code
2075  * tidier (avoid a mass of ifdefs) and so easier to maintain.
2076  */
2077 static void
store_read_reset(png_store * ps)2078 store_read_reset(png_store *ps)
2079 {
2080 #  ifdef PNG_READ_SUPPORTED
2081       if (ps->pread != NULL)
2082       {
2083          anon_context(ps);
2084 
2085          Try
2086             png_destroy_read_struct(&ps->pread, &ps->piread, NULL);
2087 
2088          Catch_anonymous
2089          {
2090             /* error already output: continue */
2091          }
2092 
2093          ps->pread = NULL;
2094          ps->piread = NULL;
2095       }
2096 #  endif
2097 
2098 #  ifdef PNG_USER_MEM_SUPPORTED
2099       /* Always do this to be safe. */
2100       store_pool_delete(ps, &ps->read_memory_pool);
2101 #  endif
2102 
2103    ps->current = NULL;
2104    ps->next = NULL;
2105    ps->readpos = 0;
2106    ps->validated = 0;
2107 
2108    ps->chunkpos = 8;
2109    ps->chunktype = 0;
2110    ps->chunklen = 16;
2111    ps->IDAT_size = 0;
2112 }
2113 
2114 #ifdef PNG_READ_SUPPORTED
2115 static void
store_read_set(png_store * ps,png_uint_32 id)2116 store_read_set(png_store *ps, png_uint_32 id)
2117 {
2118    png_store_file *pf = ps->saved;
2119 
2120    while (pf != NULL)
2121    {
2122       if (pf->id == id)
2123       {
2124          ps->current = pf;
2125          ps->next = NULL;
2126          ps->IDAT_size = pf->IDAT_size;
2127          ps->IDAT_bits = pf->IDAT_bits; /* just a cache */
2128          ps->IDAT_len = 0;
2129          ps->IDAT_pos = 0;
2130          ps->IDAT_crc = 0UL;
2131          store_read_buffer_next(ps);
2132          return;
2133       }
2134 
2135       pf = pf->next;
2136    }
2137 
2138    {
2139       size_t pos;
2140       char msg[FILE_NAME_SIZE+64];
2141 
2142       pos = standard_name_from_id(msg, sizeof msg, 0, id);
2143       pos = safecat(msg, sizeof msg, pos, ": file not found");
2144       png_error(ps->pread, msg);
2145    }
2146 }
2147 
2148 /* The main interface for reading a saved file - pass the id number of the file
2149  * to retrieve.  Ids must be unique or the earlier file will be hidden.  The API
2150  * returns a png_struct and, optionally, a png_info.  Both of these will be
2151  * destroyed by store_read_reset above.
2152  */
2153 static png_structp
set_store_for_read(png_store * ps,png_infopp ppi,png_uint_32 id,const char * name)2154 set_store_for_read(png_store *ps, png_infopp ppi, png_uint_32 id,
2155    const char *name)
2156 {
2157    /* Set the name for png_error */
2158    safecat(ps->test, sizeof ps->test, 0, name);
2159 
2160    if (ps->pread != NULL)
2161       png_error(ps->pread, "read store already in use");
2162 
2163    store_read_reset(ps);
2164 
2165    /* Both the create APIs can return NULL if used in their default mode
2166     * (because there is no other way of handling an error because the jmp_buf
2167     * by default is stored in png_struct and that has not been allocated!)
2168     * However, given that store_error works correctly in these circumstances
2169     * we don't ever expect NULL in this program.
2170     */
2171 #  ifdef PNG_USER_MEM_SUPPORTED
2172       if (!ps->speed)
2173          ps->pread = png_create_read_struct_2(PNG_LIBPNG_VER_STRING, ps,
2174              store_error, store_warning, &ps->read_memory_pool, store_malloc,
2175              store_free);
2176 
2177       else
2178 #  endif
2179    ps->pread = png_create_read_struct(PNG_LIBPNG_VER_STRING, ps, store_error,
2180       store_warning);
2181 
2182    if (ps->pread == NULL)
2183    {
2184       struct exception_context *the_exception_context = &ps->exception_context;
2185 
2186       store_log(ps, NULL, "png_create_read_struct returned NULL (unexpected)",
2187          1 /*error*/);
2188 
2189       Throw ps;
2190    }
2191 
2192 #  ifdef PNG_SET_OPTION_SUPPORTED
2193       {
2194          int opt;
2195          for (opt=0; opt<ps->noptions; ++opt)
2196             if (png_set_option(ps->pread, ps->options[opt].option,
2197                ps->options[opt].setting) == PNG_OPTION_INVALID)
2198                   png_error(ps->pread, "png option invalid");
2199       }
2200 #  endif
2201 
2202    store_read_set(ps, id);
2203 
2204    if (ppi != NULL)
2205       *ppi = ps->piread = png_create_info_struct(ps->pread);
2206 
2207    return ps->pread;
2208 }
2209 #endif /* PNG_READ_SUPPORTED */
2210 
2211 /* The overall cleanup of a store simply calls the above then removes all the
2212  * saved files.  This does not delete the store itself.
2213  */
2214 static void
store_delete(png_store * ps)2215 store_delete(png_store *ps)
2216 {
2217    store_write_reset(ps);
2218    store_read_reset(ps);
2219    store_freefile(&ps->saved);
2220    store_image_free(ps, NULL);
2221 }
2222 
2223 /*********************** PNG FILE MODIFICATION ON READ ************************/
2224 /* Files may be modified on read.  The following structure contains a complete
2225  * png_store together with extra members to handle modification and a special
2226  * read callback for libpng.  To use this the 'modifications' field must be set
2227  * to a list of png_modification structures that actually perform the
2228  * modification, otherwise a png_modifier is functionally equivalent to a
2229  * png_store.  There is a special read function, set_modifier_for_read, which
2230  * replaces set_store_for_read.
2231  */
2232 typedef enum modifier_state
2233 {
2234    modifier_start,                        /* Initial value */
2235    modifier_signature,                    /* Have a signature */
2236    modifier_IHDR                          /* Have an IHDR */
2237 } modifier_state;
2238 
2239 typedef struct CIE_color
2240 {
2241    /* A single CIE tristimulus value, representing the unique response of a
2242     * standard observer to a variety of light spectra.  The observer recognizes
2243     * all spectra that produce this response as the same color, therefore this
2244     * is effectively a description of a color.
2245     */
2246    double X, Y, Z;
2247 } CIE_color;
2248 
2249 typedef struct color_encoding
2250 {
2251    /* A description of an (R,G,B) encoding of color (as defined above); this
2252     * includes the actual colors of the (R,G,B) triples (1,0,0), (0,1,0) and
2253     * (0,0,1) plus an encoding value that is used to encode the linear
2254     * components R, G and B to give the actual values R^gamma, G^gamma and
2255     * B^gamma that are stored.
2256     */
2257    double    gamma;            /* Encoding (file) gamma of space */
2258    CIE_color red, green, blue; /* End points */
2259 } color_encoding;
2260 
2261 #ifdef PNG_READ_SUPPORTED
2262 #if defined PNG_READ_TRANSFORMS_SUPPORTED && defined PNG_READ_cHRM_SUPPORTED
2263 static double
chromaticity_x(CIE_color c)2264 chromaticity_x(CIE_color c)
2265 {
2266    return c.X / (c.X + c.Y + c.Z);
2267 }
2268 
2269 static double
chromaticity_y(CIE_color c)2270 chromaticity_y(CIE_color c)
2271 {
2272    return c.Y / (c.X + c.Y + c.Z);
2273 }
2274 
2275 static CIE_color
white_point(const color_encoding * encoding)2276 white_point(const color_encoding *encoding)
2277 {
2278    CIE_color white;
2279 
2280    white.X = encoding->red.X + encoding->green.X + encoding->blue.X;
2281    white.Y = encoding->red.Y + encoding->green.Y + encoding->blue.Y;
2282    white.Z = encoding->red.Z + encoding->green.Z + encoding->blue.Z;
2283 
2284    return white;
2285 }
2286 #endif /* READ_TRANSFORMS && READ_cHRM */
2287 
2288 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2289 static void
normalize_color_encoding(color_encoding * encoding)2290 normalize_color_encoding(color_encoding *encoding)
2291 {
2292    const double whiteY = encoding->red.Y + encoding->green.Y +
2293       encoding->blue.Y;
2294 
2295    if (whiteY != 1)
2296    {
2297       encoding->red.X /= whiteY;
2298       encoding->red.Y /= whiteY;
2299       encoding->red.Z /= whiteY;
2300       encoding->green.X /= whiteY;
2301       encoding->green.Y /= whiteY;
2302       encoding->green.Z /= whiteY;
2303       encoding->blue.X /= whiteY;
2304       encoding->blue.Y /= whiteY;
2305       encoding->blue.Z /= whiteY;
2306    }
2307 }
2308 #endif
2309 
2310 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
2311 static size_t
safecat_color_encoding(char * buffer,size_t bufsize,size_t pos,const color_encoding * e,double encoding_gamma)2312 safecat_color_encoding(char *buffer, size_t bufsize, size_t pos,
2313    const color_encoding *e, double encoding_gamma)
2314 {
2315    if (e != 0)
2316    {
2317       if (encoding_gamma != 0)
2318          pos = safecat(buffer, bufsize, pos, "(");
2319       pos = safecat(buffer, bufsize, pos, "R(");
2320       pos = safecatd(buffer, bufsize, pos, e->red.X, 4);
2321       pos = safecat(buffer, bufsize, pos, ",");
2322       pos = safecatd(buffer, bufsize, pos, e->red.Y, 4);
2323       pos = safecat(buffer, bufsize, pos, ",");
2324       pos = safecatd(buffer, bufsize, pos, e->red.Z, 4);
2325       pos = safecat(buffer, bufsize, pos, "),G(");
2326       pos = safecatd(buffer, bufsize, pos, e->green.X, 4);
2327       pos = safecat(buffer, bufsize, pos, ",");
2328       pos = safecatd(buffer, bufsize, pos, e->green.Y, 4);
2329       pos = safecat(buffer, bufsize, pos, ",");
2330       pos = safecatd(buffer, bufsize, pos, e->green.Z, 4);
2331       pos = safecat(buffer, bufsize, pos, "),B(");
2332       pos = safecatd(buffer, bufsize, pos, e->blue.X, 4);
2333       pos = safecat(buffer, bufsize, pos, ",");
2334       pos = safecatd(buffer, bufsize, pos, e->blue.Y, 4);
2335       pos = safecat(buffer, bufsize, pos, ",");
2336       pos = safecatd(buffer, bufsize, pos, e->blue.Z, 4);
2337       pos = safecat(buffer, bufsize, pos, ")");
2338       if (encoding_gamma != 0)
2339          pos = safecat(buffer, bufsize, pos, ")");
2340    }
2341 
2342    if (encoding_gamma != 0)
2343    {
2344       pos = safecat(buffer, bufsize, pos, "^");
2345       pos = safecatd(buffer, bufsize, pos, encoding_gamma, 5);
2346    }
2347 
2348    return pos;
2349 }
2350 #endif /* READ_TRANSFORMS */
2351 #endif /* PNG_READ_SUPPORTED */
2352 
2353 typedef struct png_modifier
2354 {
2355    png_store               this;             /* I am a png_store */
2356    struct png_modification *modifications;   /* Changes to make */
2357 
2358    modifier_state           state;           /* My state */
2359 
2360    /* Information from IHDR: */
2361    png_byte                 bit_depth;       /* From IHDR */
2362    png_byte                 colour_type;     /* From IHDR */
2363 
2364    /* While handling PLTE, IDAT and IEND these chunks may be pended to allow
2365     * other chunks to be inserted.
2366     */
2367    png_uint_32              pending_len;
2368    png_uint_32              pending_chunk;
2369 
2370    /* Test values */
2371    double                   *gammas;
2372    unsigned int              ngammas;
2373    unsigned int              ngamma_tests;     /* Number of gamma tests to run*/
2374    double                    current_gamma;    /* 0 if not set */
2375    const color_encoding *encodings;
2376    unsigned int              nencodings;
2377    const color_encoding *current_encoding; /* If an encoding has been set */
2378    unsigned int              encoding_counter; /* For iteration */
2379    int                       encoding_ignored; /* Something overwrote it */
2380 
2381    /* Control variables used to iterate through possible encodings, the
2382     * following must be set to 0 and tested by the function that uses the
2383     * png_modifier because the modifier only sets it to 1 (true.)
2384     */
2385    unsigned int              repeat :1;   /* Repeat this transform test. */
2386    unsigned int              test_uses_encoding :1;
2387 
2388    /* Lowest sbit to test (pre-1.7 libpng fails for sbit < 8) */
2389    png_byte                 sbitlow;
2390 
2391    /* Error control - these are the limits on errors accepted by the gamma tests
2392     * below.
2393     */
2394    double                   maxout8;  /* Maximum output value error */
2395    double                   maxabs8;  /* Absolute sample error 0..1 */
2396    double                   maxcalc8; /* Absolute sample error 0..1 */
2397    double                   maxpc8;   /* Percentage sample error 0..100% */
2398    double                   maxout16; /* Maximum output value error */
2399    double                   maxabs16; /* Absolute sample error 0..1 */
2400    double                   maxcalc16;/* Absolute sample error 0..1 */
2401    double                   maxcalcG; /* Absolute sample error 0..1 */
2402    double                   maxpc16;  /* Percentage sample error 0..100% */
2403 
2404    /* This is set by transforms that need to allow a higher limit, it is an
2405     * internal check on pngvalid to ensure that the calculated error limits are
2406     * not ridiculous; without this it is too easy to make a mistake in pngvalid
2407     * that allows any value through.
2408     *
2409     * NOTE: this is not checked in release builds.
2410     */
2411    double                   limit;    /* limit on error values, normally 4E-3 */
2412 
2413    /* Log limits - values above this are logged, but not necessarily
2414     * warned.
2415     */
2416    double                   log8;     /* Absolute error in 8 bits to log */
2417    double                   log16;    /* Absolute error in 16 bits to log */
2418 
2419    /* Logged 8 and 16 bit errors ('output' values): */
2420    double                   error_gray_2;
2421    double                   error_gray_4;
2422    double                   error_gray_8;
2423    double                   error_gray_16;
2424    double                   error_color_8;
2425    double                   error_color_16;
2426    double                   error_indexed;
2427 
2428    /* Flags: */
2429    /* Whether to call png_read_update_info, not png_read_start_image, and how
2430     * many times to call it.
2431     */
2432    int                      use_update_info;
2433 
2434    /* Whether or not to interlace. */
2435    int                      interlace_type :9; /* int, but must store '1' */
2436 
2437    /* Run the standard tests? */
2438    unsigned int             test_standard :1;
2439 
2440    /* Run the odd-sized image and interlace read/write tests? */
2441    unsigned int             test_size :1;
2442 
2443    /* Run tests on reading with a combination of transforms, */
2444    unsigned int             test_transform :1;
2445    unsigned int             test_tRNS :1; /* Includes tRNS images */
2446 
2447    /* When to use the use_input_precision option, this controls the gamma
2448     * validation code checks.  If set any value that is within the transformed
2449     * range input-.5 to input+.5 will be accepted, otherwise the value must be
2450     * within the normal limits.  It should not be necessary to set this; the
2451     * result should always be exact within the permitted error limits.
2452     */
2453    unsigned int             use_input_precision :1;
2454    unsigned int             use_input_precision_sbit :1;
2455    unsigned int             use_input_precision_16to8 :1;
2456 
2457    /* If set assume that the calculation bit depth is set by the input
2458     * precision, not the output precision.
2459     */
2460    unsigned int             calculations_use_input_precision :1;
2461 
2462    /* If set assume that the calculations are done in 16 bits even if the sample
2463     * depth is 8 bits.
2464     */
2465    unsigned int             assume_16_bit_calculations :1;
2466 
2467    /* Which gamma tests to run: */
2468    unsigned int             test_gamma_threshold :1;
2469    unsigned int             test_gamma_transform :1; /* main tests */
2470    unsigned int             test_gamma_sbit :1;
2471    unsigned int             test_gamma_scale16 :1;
2472    unsigned int             test_gamma_background :1;
2473    unsigned int             test_gamma_alpha_mode :1;
2474    unsigned int             test_gamma_expand16 :1;
2475    unsigned int             test_exhaustive :1;
2476 
2477    /* Whether or not to run the low-bit-depth grayscale tests.  This fails on
2478     * gamma images in some cases because of gross inaccuracies in the grayscale
2479     * gamma handling for low bit depth.
2480     */
2481    unsigned int             test_lbg :1;
2482    unsigned int             test_lbg_gamma_threshold :1;
2483    unsigned int             test_lbg_gamma_transform :1;
2484    unsigned int             test_lbg_gamma_sbit :1;
2485    unsigned int             test_lbg_gamma_composition :1;
2486 
2487    unsigned int             log :1;   /* Log max error */
2488 
2489    /* Buffer information, the buffer size limits the size of the chunks that can
2490     * be modified - they must fit (including header and CRC) into the buffer!
2491     */
2492    size_t                   flush;           /* Count of bytes to flush */
2493    size_t                   buffer_count;    /* Bytes in buffer */
2494    size_t                   buffer_position; /* Position in buffer */
2495    png_byte                 buffer[1024];
2496 } png_modifier;
2497 
2498 /* This returns true if the test should be stopped now because it has already
2499  * failed and it is running silently.
2500   */
fail(png_modifier * pm)2501 static int fail(png_modifier *pm)
2502 {
2503    return !pm->log && !pm->this.verbose && (pm->this.nerrors > 0 ||
2504        (pm->this.treat_warnings_as_errors && pm->this.nwarnings > 0));
2505 }
2506 
2507 static void
modifier_init(png_modifier * pm)2508 modifier_init(png_modifier *pm)
2509 {
2510    memset(pm, 0, sizeof *pm);
2511    store_init(&pm->this);
2512    pm->modifications = NULL;
2513    pm->state = modifier_start;
2514    pm->sbitlow = 1U;
2515    pm->ngammas = 0;
2516    pm->ngamma_tests = 0;
2517    pm->gammas = 0;
2518    pm->current_gamma = 0;
2519    pm->encodings = 0;
2520    pm->nencodings = 0;
2521    pm->current_encoding = 0;
2522    pm->encoding_counter = 0;
2523    pm->encoding_ignored = 0;
2524    pm->repeat = 0;
2525    pm->test_uses_encoding = 0;
2526    pm->maxout8 = pm->maxpc8 = pm->maxabs8 = pm->maxcalc8 = 0;
2527    pm->maxout16 = pm->maxpc16 = pm->maxabs16 = pm->maxcalc16 = 0;
2528    pm->maxcalcG = 0;
2529    pm->limit = 4E-3;
2530    pm->log8 = pm->log16 = 0; /* Means 'off' */
2531    pm->error_gray_2 = pm->error_gray_4 = pm->error_gray_8 = 0;
2532    pm->error_gray_16 = pm->error_color_8 = pm->error_color_16 = 0;
2533    pm->error_indexed = 0;
2534    pm->use_update_info = 0;
2535    pm->interlace_type = PNG_INTERLACE_NONE;
2536    pm->test_standard = 0;
2537    pm->test_size = 0;
2538    pm->test_transform = 0;
2539 #  ifdef PNG_WRITE_tRNS_SUPPORTED
2540       pm->test_tRNS = 1;
2541 #  else
2542       pm->test_tRNS = 0;
2543 #  endif
2544    pm->use_input_precision = 0;
2545    pm->use_input_precision_sbit = 0;
2546    pm->use_input_precision_16to8 = 0;
2547    pm->calculations_use_input_precision = 0;
2548    pm->assume_16_bit_calculations = 0;
2549    pm->test_gamma_threshold = 0;
2550    pm->test_gamma_transform = 0;
2551    pm->test_gamma_sbit = 0;
2552    pm->test_gamma_scale16 = 0;
2553    pm->test_gamma_background = 0;
2554    pm->test_gamma_alpha_mode = 0;
2555    pm->test_gamma_expand16 = 0;
2556    pm->test_lbg = 1;
2557    pm->test_lbg_gamma_threshold = 1;
2558    pm->test_lbg_gamma_transform = 1;
2559    pm->test_lbg_gamma_sbit = 1;
2560    pm->test_lbg_gamma_composition = 1;
2561    pm->test_exhaustive = 0;
2562    pm->log = 0;
2563 
2564    /* Rely on the memset for all the other fields - there are no pointers */
2565 }
2566 
2567 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
2568 
2569 /* This controls use of checks that explicitly know how libpng digitizes the
2570  * samples in calculations; setting this circumvents simple error limit checking
2571  * in the rgb_to_gray check, replacing it with an exact copy of the libpng 1.5
2572  * algorithm.
2573  */
2574 #define DIGITIZE PNG_LIBPNG_VER < 10700
2575 
2576 /* If pm->calculations_use_input_precision is set then operations will happen
2577  * with the precision of the input, not the precision of the output depth.
2578  *
2579  * If pm->assume_16_bit_calculations is set then even 8 bit calculations use 16
2580  * bit precision.  This only affects those of the following limits that pertain
2581  * to a calculation - not a digitization operation - unless the following API is
2582  * called directly.
2583  */
2584 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2585 #if DIGITIZE
digitize(double value,int depth,int do_round)2586 static double digitize(double value, int depth, int do_round)
2587 {
2588    /* 'value' is in the range 0 to 1, the result is the same value rounded to a
2589     * multiple of the digitization factor - 8 or 16 bits depending on both the
2590     * sample depth and the 'assume' setting.  Digitization is normally by
2591     * rounding and 'do_round' should be 1, if it is 0 the digitized value will
2592     * be truncated.
2593     */
2594    const unsigned int digitization_factor = (1U << depth) -1;
2595 
2596    /* Limiting the range is done as a convenience to the caller - it's easier to
2597     * do it once here than every time at the call site.
2598     */
2599    if (value <= 0)
2600       value = 0;
2601 
2602    else if (value >= 1)
2603       value = 1;
2604 
2605    value *= digitization_factor;
2606    if (do_round) value += .5;
2607    return floor(value)/digitization_factor;
2608 }
2609 #endif
2610 #endif /* RGB_TO_GRAY */
2611 
2612 #ifdef PNG_READ_GAMMA_SUPPORTED
abserr(const png_modifier * pm,int in_depth,int out_depth)2613 static double abserr(const png_modifier *pm, int in_depth, int out_depth)
2614 {
2615    /* Absolute error permitted in linear values - affected by the bit depth of
2616     * the calculations.
2617     */
2618    if (pm->assume_16_bit_calculations ||
2619       (pm->calculations_use_input_precision ? in_depth : out_depth) == 16)
2620       return pm->maxabs16;
2621    else
2622       return pm->maxabs8;
2623 }
2624 
calcerr(const png_modifier * pm,int in_depth,int out_depth)2625 static double calcerr(const png_modifier *pm, int in_depth, int out_depth)
2626 {
2627    /* Error in the linear composition arithmetic - only relevant when
2628     * composition actually happens (0 < alpha < 1).
2629     */
2630    if ((pm->calculations_use_input_precision ? in_depth : out_depth) == 16)
2631       return pm->maxcalc16;
2632    else if (pm->assume_16_bit_calculations)
2633       return pm->maxcalcG;
2634    else
2635       return pm->maxcalc8;
2636 }
2637 
pcerr(const png_modifier * pm,int in_depth,int out_depth)2638 static double pcerr(const png_modifier *pm, int in_depth, int out_depth)
2639 {
2640    /* Percentage error permitted in the linear values.  Note that the specified
2641     * value is a percentage but this routine returns a simple number.
2642     */
2643    if (pm->assume_16_bit_calculations ||
2644       (pm->calculations_use_input_precision ? in_depth : out_depth) == 16)
2645       return pm->maxpc16 * .01;
2646    else
2647       return pm->maxpc8 * .01;
2648 }
2649 
2650 /* Output error - the error in the encoded value.  This is determined by the
2651  * digitization of the output so can be +/-0.5 in the actual output value.  In
2652  * the expand_16 case with the current code in libpng the expand happens after
2653  * all the calculations are done in 8 bit arithmetic, so even though the output
2654  * depth is 16 the output error is determined by the 8 bit calculation.
2655  *
2656  * This limit is not determined by the bit depth of internal calculations.
2657  *
2658  * The specified parameter does *not* include the base .5 digitization error but
2659  * it is added here.
2660  */
outerr(const png_modifier * pm,int in_depth,int out_depth)2661 static double outerr(const png_modifier *pm, int in_depth, int out_depth)
2662 {
2663    /* There is a serious error in the 2 and 4 bit grayscale transform because
2664     * the gamma table value (8 bits) is simply shifted, not rounded, so the
2665     * error in 4 bit grayscale gamma is up to the value below.  This is a hack
2666     * to allow pngvalid to succeed:
2667     *
2668     * TODO: fix this in libpng
2669     */
2670    if (out_depth == 2)
2671       return .73182-.5;
2672 
2673    if (out_depth == 4)
2674       return .90644-.5;
2675 
2676    if ((pm->calculations_use_input_precision ? in_depth : out_depth) == 16)
2677       return pm->maxout16;
2678 
2679    /* This is the case where the value was calculated at 8-bit precision then
2680     * scaled to 16 bits.
2681     */
2682    else if (out_depth == 16)
2683       return pm->maxout8 * 257;
2684 
2685    else
2686       return pm->maxout8;
2687 }
2688 
2689 /* This does the same thing as the above however it returns the value to log,
2690  * rather than raising a warning.  This is useful for debugging to track down
2691  * exactly what set of parameters cause high error values.
2692  */
outlog(const png_modifier * pm,int in_depth,int out_depth)2693 static double outlog(const png_modifier *pm, int in_depth, int out_depth)
2694 {
2695    /* The command line parameters are either 8 bit (0..255) or 16 bit (0..65535)
2696     * and so must be adjusted for low bit depth grayscale:
2697     */
2698    if (out_depth <= 8)
2699    {
2700       if (pm->log8 == 0) /* switched off */
2701          return 256;
2702 
2703       if (out_depth < 8)
2704          return pm->log8 / 255 * ((1<<out_depth)-1);
2705 
2706       return pm->log8;
2707    }
2708 
2709    if ((pm->calculations_use_input_precision ? in_depth : out_depth) == 16)
2710    {
2711       if (pm->log16 == 0)
2712          return 65536;
2713 
2714       return pm->log16;
2715    }
2716 
2717    /* This is the case where the value was calculated at 8-bit precision then
2718     * scaled to 16 bits.
2719     */
2720    if (pm->log8 == 0)
2721       return 65536;
2722 
2723    return pm->log8 * 257;
2724 }
2725 
2726 /* This complements the above by providing the appropriate quantization for the
2727  * final value.  Normally this would just be quantization to an integral value,
2728  * but in the 8 bit calculation case it's actually quantization to a multiple of
2729  * 257!
2730  */
output_quantization_factor(const png_modifier * pm,int in_depth,int out_depth)2731 static int output_quantization_factor(const png_modifier *pm, int in_depth,
2732    int out_depth)
2733 {
2734    if (out_depth == 16 && in_depth != 16 &&
2735       pm->calculations_use_input_precision)
2736       return 257;
2737    else
2738       return 1;
2739 }
2740 #endif /* PNG_READ_GAMMA_SUPPORTED */
2741 
2742 /* One modification structure must be provided for each chunk to be modified (in
2743  * fact more than one can be provided if multiple separate changes are desired
2744  * for a single chunk.)  Modifications include adding a new chunk when a
2745  * suitable chunk does not exist.
2746  *
2747  * The caller of modify_fn will reset the CRC of the chunk and record 'modified'
2748  * or 'added' as appropriate if the modify_fn returns 1 (true).  If the
2749  * modify_fn is NULL the chunk is simply removed.
2750  */
2751 typedef struct png_modification
2752 {
2753    struct png_modification *next;
2754    png_uint_32              chunk;
2755 
2756    /* If the following is NULL all matching chunks will be removed: */
2757    int                    (*modify_fn)(struct png_modifier *pm,
2758                                struct png_modification *me, int add);
2759 
2760    /* If the following is set to PLTE, IDAT or IEND and the chunk has not been
2761     * found and modified (and there is a modify_fn) the modify_fn will be called
2762     * to add the chunk before the relevant chunk.
2763     */
2764    png_uint_32              add;
2765    unsigned int             modified :1;     /* Chunk was modified */
2766    unsigned int             added    :1;     /* Chunk was added */
2767    unsigned int             removed  :1;     /* Chunk was removed */
2768 } png_modification;
2769 
2770 static void
modification_reset(png_modification * pmm)2771 modification_reset(png_modification *pmm)
2772 {
2773    if (pmm != NULL)
2774    {
2775       pmm->modified = 0;
2776       pmm->added = 0;
2777       pmm->removed = 0;
2778       modification_reset(pmm->next);
2779    }
2780 }
2781 
2782 static void
modification_init(png_modification * pmm)2783 modification_init(png_modification *pmm)
2784 {
2785    memset(pmm, 0, sizeof *pmm);
2786    pmm->next = NULL;
2787    pmm->chunk = 0;
2788    pmm->modify_fn = NULL;
2789    pmm->add = 0;
2790    modification_reset(pmm);
2791 }
2792 
2793 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2794 static void
modifier_current_encoding(const png_modifier * pm,color_encoding * ce)2795 modifier_current_encoding(const png_modifier *pm, color_encoding *ce)
2796 {
2797    if (pm->current_encoding != 0)
2798       *ce = *pm->current_encoding;
2799 
2800    else
2801       memset(ce, 0, sizeof *ce);
2802 
2803    ce->gamma = pm->current_gamma;
2804 }
2805 #endif
2806 
2807 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
2808 static size_t
safecat_current_encoding(char * buffer,size_t bufsize,size_t pos,const png_modifier * pm)2809 safecat_current_encoding(char *buffer, size_t bufsize, size_t pos,
2810    const png_modifier *pm)
2811 {
2812    pos = safecat_color_encoding(buffer, bufsize, pos, pm->current_encoding,
2813       pm->current_gamma);
2814 
2815    if (pm->encoding_ignored)
2816       pos = safecat(buffer, bufsize, pos, "[overridden]");
2817 
2818    return pos;
2819 }
2820 #endif
2821 
2822 /* Iterate through the usefully testable color encodings.  An encoding is one
2823  * of:
2824  *
2825  * 1) Nothing (no color space, no gamma).
2826  * 2) Just a gamma value from the gamma array (including 1.0)
2827  * 3) A color space from the encodings array with the corresponding gamma.
2828  * 4) The same, but with gamma 1.0 (only really useful with 16 bit calculations)
2829  *
2830  * The iterator selects these in turn, the randomizer selects one at random,
2831  * which is used depends on the setting of the 'test_exhaustive' flag.  Notice
2832  * that this function changes the colour space encoding so it must only be
2833  * called on completion of the previous test.  This is what 'modifier_reset'
2834  * does, below.
2835  *
2836  * After the function has been called the 'repeat' flag will still be set; the
2837  * caller of modifier_reset must reset it at the start of each run of the test!
2838  */
2839 static unsigned int
modifier_total_encodings(const png_modifier * pm)2840 modifier_total_encodings(const png_modifier *pm)
2841 {
2842    return 1 +                 /* (1) nothing */
2843       pm->ngammas +           /* (2) gamma values to test */
2844       pm->nencodings +        /* (3) total number of encodings */
2845       /* The following test only works after the first time through the
2846        * png_modifier code because 'bit_depth' is set when the IHDR is read.
2847        * modifier_reset, below, preserves the setting until after it has called
2848        * the iterate function (also below.)
2849        *
2850        * For this reason do not rely on this function outside a call to
2851        * modifier_reset.
2852        */
2853       ((pm->bit_depth == 16 || pm->assume_16_bit_calculations) ?
2854          pm->nencodings : 0); /* (4) encodings with gamma == 1.0 */
2855 }
2856 
2857 static void
modifier_encoding_iterate(png_modifier * pm)2858 modifier_encoding_iterate(png_modifier *pm)
2859 {
2860    if (!pm->repeat && /* Else something needs the current encoding again. */
2861       pm->test_uses_encoding) /* Some transform is encoding dependent */
2862    {
2863       if (pm->test_exhaustive)
2864       {
2865          if (++pm->encoding_counter >= modifier_total_encodings(pm))
2866             pm->encoding_counter = 0; /* This will stop the repeat */
2867       }
2868 
2869       else
2870       {
2871          /* Not exhaustive - choose an encoding at random; generate a number in
2872           * the range 1..(max-1), so the result is always non-zero:
2873           */
2874          if (pm->encoding_counter == 0)
2875             pm->encoding_counter = random_mod(modifier_total_encodings(pm)-1)+1;
2876          else
2877             pm->encoding_counter = 0;
2878       }
2879 
2880       if (pm->encoding_counter > 0)
2881          pm->repeat = 1;
2882    }
2883 
2884    else if (!pm->repeat)
2885       pm->encoding_counter = 0;
2886 }
2887 
2888 static void
modifier_reset(png_modifier * pm)2889 modifier_reset(png_modifier *pm)
2890 {
2891    store_read_reset(&pm->this);
2892    pm->limit = 4E-3;
2893    pm->pending_len = pm->pending_chunk = 0;
2894    pm->flush = pm->buffer_count = pm->buffer_position = 0;
2895    pm->modifications = NULL;
2896    pm->state = modifier_start;
2897    modifier_encoding_iterate(pm);
2898    /* The following must be set in the next run.  In particular
2899     * test_uses_encodings must be set in the _ini function of each transform
2900     * that looks at the encodings.  (Not the 'add' function!)
2901     */
2902    pm->test_uses_encoding = 0;
2903    pm->current_gamma = 0;
2904    pm->current_encoding = 0;
2905    pm->encoding_ignored = 0;
2906    /* These only become value after IHDR is read: */
2907    pm->bit_depth = pm->colour_type = 0;
2908 }
2909 
2910 /* The following must be called before anything else to get the encoding set up
2911  * on the modifier.  In particular it must be called before the transform init
2912  * functions are called.
2913  */
2914 static void
modifier_set_encoding(png_modifier * pm)2915 modifier_set_encoding(png_modifier *pm)
2916 {
2917    /* Set the encoding to the one specified by the current encoding counter,
2918     * first clear out all the settings - this corresponds to an encoding_counter
2919     * of 0.
2920     */
2921    pm->current_gamma = 0;
2922    pm->current_encoding = 0;
2923    pm->encoding_ignored = 0; /* not ignored yet - happens in _ini functions. */
2924 
2925    /* Now, if required, set the gamma and encoding fields. */
2926    if (pm->encoding_counter > 0)
2927    {
2928       /* The gammas[] array is an array of screen gammas, not encoding gammas,
2929        * so we need the inverse:
2930        */
2931       if (pm->encoding_counter <= pm->ngammas)
2932          pm->current_gamma = 1/pm->gammas[pm->encoding_counter-1];
2933 
2934       else
2935       {
2936          unsigned int i = pm->encoding_counter - pm->ngammas;
2937 
2938          if (i >= pm->nencodings)
2939          {
2940             i %= pm->nencodings;
2941             pm->current_gamma = 1; /* Linear, only in the 16 bit case */
2942          }
2943 
2944          else
2945             pm->current_gamma = pm->encodings[i].gamma;
2946 
2947          pm->current_encoding = pm->encodings + i;
2948       }
2949    }
2950 }
2951 
2952 /* Enquiry functions to find out what is set.  Notice that there is an implicit
2953  * assumption below that the first encoding in the list is the one for sRGB.
2954  */
2955 static int
modifier_color_encoding_is_sRGB(const png_modifier * pm)2956 modifier_color_encoding_is_sRGB(const png_modifier *pm)
2957 {
2958    return pm->current_encoding != 0 && pm->current_encoding == pm->encodings &&
2959       pm->current_encoding->gamma == pm->current_gamma;
2960 }
2961 
2962 static int
modifier_color_encoding_is_set(const png_modifier * pm)2963 modifier_color_encoding_is_set(const png_modifier *pm)
2964 {
2965    return pm->current_gamma != 0;
2966 }
2967 
2968 /* The guts of modification are performed during a read. */
2969 static void
modifier_crc(png_bytep buffer)2970 modifier_crc(png_bytep buffer)
2971 {
2972    /* Recalculate the chunk CRC - a complete chunk must be in
2973     * the buffer, at the start.
2974     */
2975    uInt datalen = png_get_uint_32(buffer);
2976    uLong crc = crc32(0, buffer+4, datalen+4);
2977    /* The cast to png_uint_32 is safe because a crc32 is always a 32 bit value.
2978     */
2979    png_save_uint_32(buffer+datalen+8, (png_uint_32)crc);
2980 }
2981 
2982 static void
modifier_setbuffer(png_modifier * pm)2983 modifier_setbuffer(png_modifier *pm)
2984 {
2985    modifier_crc(pm->buffer);
2986    pm->buffer_count = png_get_uint_32(pm->buffer)+12;
2987    pm->buffer_position = 0;
2988 }
2989 
2990 /* Separate the callback into the actual implementation (which is passed the
2991  * png_modifier explicitly) and the callback, which gets the modifier from the
2992  * png_struct.
2993  */
2994 static void
modifier_read_imp(png_modifier * pm,png_bytep pb,png_size_t st)2995 modifier_read_imp(png_modifier *pm, png_bytep pb, png_size_t st)
2996 {
2997    while (st > 0)
2998    {
2999       size_t cb;
3000       png_uint_32 len, chunk;
3001       png_modification *mod;
3002 
3003       if (pm->buffer_position >= pm->buffer_count) switch (pm->state)
3004       {
3005          static png_byte sign[8] = { 137, 80, 78, 71, 13, 10, 26, 10 };
3006          case modifier_start:
3007             store_read_chunk(&pm->this, pm->buffer, 8, 8); /* signature. */
3008             pm->buffer_count = 8;
3009             pm->buffer_position = 0;
3010 
3011             if (memcmp(pm->buffer, sign, 8) != 0)
3012                png_error(pm->this.pread, "invalid PNG file signature");
3013             pm->state = modifier_signature;
3014             break;
3015 
3016          case modifier_signature:
3017             store_read_chunk(&pm->this, pm->buffer, 13+12, 13+12); /* IHDR */
3018             pm->buffer_count = 13+12;
3019             pm->buffer_position = 0;
3020 
3021             if (png_get_uint_32(pm->buffer) != 13 ||
3022                 png_get_uint_32(pm->buffer+4) != CHUNK_IHDR)
3023                png_error(pm->this.pread, "invalid IHDR");
3024 
3025             /* Check the list of modifiers for modifications to the IHDR. */
3026             mod = pm->modifications;
3027             while (mod != NULL)
3028             {
3029                if (mod->chunk == CHUNK_IHDR && mod->modify_fn &&
3030                    (*mod->modify_fn)(pm, mod, 0))
3031                   {
3032                   mod->modified = 1;
3033                   modifier_setbuffer(pm);
3034                   }
3035 
3036                /* Ignore removal or add if IHDR! */
3037                mod = mod->next;
3038             }
3039 
3040             /* Cache information from the IHDR (the modified one.) */
3041             pm->bit_depth = pm->buffer[8+8];
3042             pm->colour_type = pm->buffer[8+8+1];
3043 
3044             pm->state = modifier_IHDR;
3045             pm->flush = 0;
3046             break;
3047 
3048          case modifier_IHDR:
3049          default:
3050             /* Read a new chunk and process it until we see PLTE, IDAT or
3051              * IEND.  'flush' indicates that there is still some data to
3052              * output from the preceding chunk.
3053              */
3054             if ((cb = pm->flush) > 0)
3055             {
3056                if (cb > st) cb = st;
3057                pm->flush -= cb;
3058                store_read_chunk(&pm->this, pb, cb, cb);
3059                pb += cb;
3060                st -= cb;
3061                if (st == 0) return;
3062             }
3063 
3064             /* No more bytes to flush, read a header, or handle a pending
3065              * chunk.
3066              */
3067             if (pm->pending_chunk != 0)
3068             {
3069                png_save_uint_32(pm->buffer, pm->pending_len);
3070                png_save_uint_32(pm->buffer+4, pm->pending_chunk);
3071                pm->pending_len = 0;
3072                pm->pending_chunk = 0;
3073             }
3074             else
3075                store_read_chunk(&pm->this, pm->buffer, 8, 8);
3076 
3077             pm->buffer_count = 8;
3078             pm->buffer_position = 0;
3079 
3080             /* Check for something to modify or a terminator chunk. */
3081             len = png_get_uint_32(pm->buffer);
3082             chunk = png_get_uint_32(pm->buffer+4);
3083 
3084             /* Terminators first, they may have to be delayed for added
3085              * chunks
3086              */
3087             if (chunk == CHUNK_PLTE || chunk == CHUNK_IDAT ||
3088                 chunk == CHUNK_IEND)
3089             {
3090                mod = pm->modifications;
3091 
3092                while (mod != NULL)
3093                {
3094                   if ((mod->add == chunk ||
3095                       (mod->add == CHUNK_PLTE && chunk == CHUNK_IDAT)) &&
3096                       mod->modify_fn != NULL && !mod->modified && !mod->added)
3097                   {
3098                      /* Regardless of what the modify function does do not run
3099                       * this again.
3100                       */
3101                      mod->added = 1;
3102 
3103                      if ((*mod->modify_fn)(pm, mod, 1 /*add*/))
3104                      {
3105                         /* Reset the CRC on a new chunk */
3106                         if (pm->buffer_count > 0)
3107                            modifier_setbuffer(pm);
3108 
3109                         else
3110                            {
3111                            pm->buffer_position = 0;
3112                            mod->removed = 1;
3113                            }
3114 
3115                         /* The buffer has been filled with something (we assume)
3116                          * so output this.  Pend the current chunk.
3117                          */
3118                         pm->pending_len = len;
3119                         pm->pending_chunk = chunk;
3120                         break; /* out of while */
3121                      }
3122                   }
3123 
3124                   mod = mod->next;
3125                }
3126 
3127                /* Don't do any further processing if the buffer was modified -
3128                 * otherwise the code will end up modifying a chunk that was
3129                 * just added.
3130                 */
3131                if (mod != NULL)
3132                   break; /* out of switch */
3133             }
3134 
3135             /* If we get to here then this chunk may need to be modified.  To
3136              * do this it must be less than 1024 bytes in total size, otherwise
3137              * it just gets flushed.
3138              */
3139             if (len+12 <= sizeof pm->buffer)
3140             {
3141                png_size_t s = len+12-pm->buffer_count;
3142                store_read_chunk(&pm->this, pm->buffer+pm->buffer_count, s, s);
3143                pm->buffer_count = len+12;
3144 
3145                /* Check for a modification, else leave it be. */
3146                mod = pm->modifications;
3147                while (mod != NULL)
3148                {
3149                   if (mod->chunk == chunk)
3150                   {
3151                      if (mod->modify_fn == NULL)
3152                      {
3153                         /* Remove this chunk */
3154                         pm->buffer_count = pm->buffer_position = 0;
3155                         mod->removed = 1;
3156                         break; /* Terminate the while loop */
3157                      }
3158 
3159                      else if ((*mod->modify_fn)(pm, mod, 0))
3160                      {
3161                         mod->modified = 1;
3162                         /* The chunk may have been removed: */
3163                         if (pm->buffer_count == 0)
3164                         {
3165                            pm->buffer_position = 0;
3166                            break;
3167                         }
3168                         modifier_setbuffer(pm);
3169                      }
3170                   }
3171 
3172                   mod = mod->next;
3173                }
3174             }
3175 
3176             else
3177                pm->flush = len+12 - pm->buffer_count; /* data + crc */
3178 
3179             /* Take the data from the buffer (if there is any). */
3180             break;
3181       }
3182 
3183       /* Here to read from the modifier buffer (not directly from
3184        * the store, as in the flush case above.)
3185        */
3186       cb = pm->buffer_count - pm->buffer_position;
3187 
3188       if (cb > st)
3189          cb = st;
3190 
3191       memcpy(pb, pm->buffer + pm->buffer_position, cb);
3192       st -= cb;
3193       pb += cb;
3194       pm->buffer_position += cb;
3195    }
3196 }
3197 
3198 /* The callback: */
3199 static void PNGCBAPI
modifier_read(png_structp ppIn,png_bytep pb,png_size_t st)3200 modifier_read(png_structp ppIn, png_bytep pb, png_size_t st)
3201 {
3202    png_const_structp pp = ppIn;
3203    png_modifier *pm = voidcast(png_modifier*, png_get_io_ptr(pp));
3204 
3205    if (pm == NULL || pm->this.pread != pp)
3206       png_error(pp, "bad modifier_read call");
3207 
3208    modifier_read_imp(pm, pb, st);
3209 }
3210 
3211 /* Like store_progressive_read but the data is getting changed as we go so we
3212  * need a local buffer.
3213  */
3214 static void
modifier_progressive_read(png_modifier * pm,png_structp pp,png_infop pi)3215 modifier_progressive_read(png_modifier *pm, png_structp pp, png_infop pi)
3216 {
3217    if (pm->this.pread != pp || pm->this.current == NULL ||
3218        pm->this.next == NULL)
3219       png_error(pp, "store state damaged (progressive)");
3220 
3221    /* This is another Horowitz and Hill random noise generator.  In this case
3222     * the aim is to stress the progressive reader with truly horrible variable
3223     * buffer sizes in the range 1..500, so a sequence of 9 bit random numbers
3224     * is generated.  We could probably just count from 1 to 32767 and get as
3225     * good a result.
3226     */
3227    for (;;)
3228    {
3229       static png_uint_32 noise = 1;
3230       png_size_t cb, cbAvail;
3231       png_byte buffer[512];
3232 
3233       /* Generate 15 more bits of stuff: */
3234       noise = (noise << 9) | ((noise ^ (noise >> (9-5))) & 0x1ff);
3235       cb = noise & 0x1ff;
3236 
3237       /* Check that this number of bytes are available (in the current buffer.)
3238        * (This doesn't quite work - the modifier might delete a chunk; unlikely
3239        * but possible, it doesn't happen at present because the modifier only
3240        * adds chunks to standard images.)
3241        */
3242       cbAvail = store_read_buffer_avail(&pm->this);
3243       if (pm->buffer_count > pm->buffer_position)
3244          cbAvail += pm->buffer_count - pm->buffer_position;
3245 
3246       if (cb > cbAvail)
3247       {
3248          /* Check for EOF: */
3249          if (cbAvail == 0)
3250             break;
3251 
3252          cb = cbAvail;
3253       }
3254 
3255       modifier_read_imp(pm, buffer, cb);
3256       png_process_data(pp, pi, buffer, cb);
3257    }
3258 
3259    /* Check the invariants at the end (if this fails it's a problem in this
3260     * file!)
3261     */
3262    if (pm->buffer_count > pm->buffer_position ||
3263        pm->this.next != &pm->this.current->data ||
3264        pm->this.readpos < pm->this.current->datacount)
3265       png_error(pp, "progressive read implementation error");
3266 }
3267 
3268 /* Set up a modifier. */
3269 static png_structp
set_modifier_for_read(png_modifier * pm,png_infopp ppi,png_uint_32 id,const char * name)3270 set_modifier_for_read(png_modifier *pm, png_infopp ppi, png_uint_32 id,
3271     const char *name)
3272 {
3273    /* Do this first so that the modifier fields are cleared even if an error
3274     * happens allocating the png_struct.  No allocation is done here so no
3275     * cleanup is required.
3276     */
3277    pm->state = modifier_start;
3278    pm->bit_depth = 0;
3279    pm->colour_type = 255;
3280 
3281    pm->pending_len = 0;
3282    pm->pending_chunk = 0;
3283    pm->flush = 0;
3284    pm->buffer_count = 0;
3285    pm->buffer_position = 0;
3286 
3287    return set_store_for_read(&pm->this, ppi, id, name);
3288 }
3289 
3290 
3291 /******************************** MODIFICATIONS *******************************/
3292 /* Standard modifications to add chunks.  These do not require the _SUPPORTED
3293  * macros because the chunks can be there regardless of whether this specific
3294  * libpng supports them.
3295  */
3296 typedef struct gama_modification
3297 {
3298    png_modification this;
3299    png_fixed_point  gamma;
3300 } gama_modification;
3301 
3302 static int
gama_modify(png_modifier * pm,png_modification * me,int add)3303 gama_modify(png_modifier *pm, png_modification *me, int add)
3304 {
3305    UNUSED(add)
3306    /* This simply dumps the given gamma value into the buffer. */
3307    png_save_uint_32(pm->buffer, 4);
3308    png_save_uint_32(pm->buffer+4, CHUNK_gAMA);
3309    png_save_uint_32(pm->buffer+8, ((gama_modification*)me)->gamma);
3310    return 1;
3311 }
3312 
3313 static void
gama_modification_init(gama_modification * me,png_modifier * pm,double gammad)3314 gama_modification_init(gama_modification *me, png_modifier *pm, double gammad)
3315 {
3316    double g;
3317 
3318    modification_init(&me->this);
3319    me->this.chunk = CHUNK_gAMA;
3320    me->this.modify_fn = gama_modify;
3321    me->this.add = CHUNK_PLTE;
3322    g = fix(gammad);
3323    me->gamma = (png_fixed_point)g;
3324    me->this.next = pm->modifications;
3325    pm->modifications = &me->this;
3326 }
3327 
3328 typedef struct chrm_modification
3329 {
3330    png_modification          this;
3331    const color_encoding *encoding;
3332    png_fixed_point           wx, wy, rx, ry, gx, gy, bx, by;
3333 } chrm_modification;
3334 
3335 static int
chrm_modify(png_modifier * pm,png_modification * me,int add)3336 chrm_modify(png_modifier *pm, png_modification *me, int add)
3337 {
3338    UNUSED(add)
3339    /* As with gAMA this just adds the required cHRM chunk to the buffer. */
3340    png_save_uint_32(pm->buffer   , 32);
3341    png_save_uint_32(pm->buffer+ 4, CHUNK_cHRM);
3342    png_save_uint_32(pm->buffer+ 8, ((chrm_modification*)me)->wx);
3343    png_save_uint_32(pm->buffer+12, ((chrm_modification*)me)->wy);
3344    png_save_uint_32(pm->buffer+16, ((chrm_modification*)me)->rx);
3345    png_save_uint_32(pm->buffer+20, ((chrm_modification*)me)->ry);
3346    png_save_uint_32(pm->buffer+24, ((chrm_modification*)me)->gx);
3347    png_save_uint_32(pm->buffer+28, ((chrm_modification*)me)->gy);
3348    png_save_uint_32(pm->buffer+32, ((chrm_modification*)me)->bx);
3349    png_save_uint_32(pm->buffer+36, ((chrm_modification*)me)->by);
3350    return 1;
3351 }
3352 
3353 static void
chrm_modification_init(chrm_modification * me,png_modifier * pm,const color_encoding * encoding)3354 chrm_modification_init(chrm_modification *me, png_modifier *pm,
3355    const color_encoding *encoding)
3356 {
3357    CIE_color white = white_point(encoding);
3358 
3359    /* Original end points: */
3360    me->encoding = encoding;
3361 
3362    /* Chromaticities (in fixed point): */
3363    me->wx = fix(chromaticity_x(white));
3364    me->wy = fix(chromaticity_y(white));
3365 
3366    me->rx = fix(chromaticity_x(encoding->red));
3367    me->ry = fix(chromaticity_y(encoding->red));
3368    me->gx = fix(chromaticity_x(encoding->green));
3369    me->gy = fix(chromaticity_y(encoding->green));
3370    me->bx = fix(chromaticity_x(encoding->blue));
3371    me->by = fix(chromaticity_y(encoding->blue));
3372 
3373    modification_init(&me->this);
3374    me->this.chunk = CHUNK_cHRM;
3375    me->this.modify_fn = chrm_modify;
3376    me->this.add = CHUNK_PLTE;
3377    me->this.next = pm->modifications;
3378    pm->modifications = &me->this;
3379 }
3380 
3381 typedef struct srgb_modification
3382 {
3383    png_modification this;
3384    png_byte         intent;
3385 } srgb_modification;
3386 
3387 static int
srgb_modify(png_modifier * pm,png_modification * me,int add)3388 srgb_modify(png_modifier *pm, png_modification *me, int add)
3389 {
3390    UNUSED(add)
3391    /* As above, ignore add and just make a new chunk */
3392    png_save_uint_32(pm->buffer, 1);
3393    png_save_uint_32(pm->buffer+4, CHUNK_sRGB);
3394    pm->buffer[8] = ((srgb_modification*)me)->intent;
3395    return 1;
3396 }
3397 
3398 static void
srgb_modification_init(srgb_modification * me,png_modifier * pm,png_byte intent)3399 srgb_modification_init(srgb_modification *me, png_modifier *pm, png_byte intent)
3400 {
3401    modification_init(&me->this);
3402    me->this.chunk = CHUNK_sBIT;
3403 
3404    if (intent <= 3) /* if valid, else *delete* sRGB chunks */
3405    {
3406       me->this.modify_fn = srgb_modify;
3407       me->this.add = CHUNK_PLTE;
3408       me->intent = intent;
3409    }
3410 
3411    else
3412    {
3413       me->this.modify_fn = 0;
3414       me->this.add = 0;
3415       me->intent = 0;
3416    }
3417 
3418    me->this.next = pm->modifications;
3419    pm->modifications = &me->this;
3420 }
3421 
3422 #ifdef PNG_READ_GAMMA_SUPPORTED
3423 typedef struct sbit_modification
3424 {
3425    png_modification this;
3426    png_byte         sbit;
3427 } sbit_modification;
3428 
3429 static int
sbit_modify(png_modifier * pm,png_modification * me,int add)3430 sbit_modify(png_modifier *pm, png_modification *me, int add)
3431 {
3432    png_byte sbit = ((sbit_modification*)me)->sbit;
3433    if (pm->bit_depth > sbit)
3434    {
3435       int cb = 0;
3436       switch (pm->colour_type)
3437       {
3438          case 0:
3439             cb = 1;
3440             break;
3441 
3442          case 2:
3443          case 3:
3444             cb = 3;
3445             break;
3446 
3447          case 4:
3448             cb = 2;
3449             break;
3450 
3451          case 6:
3452             cb = 4;
3453             break;
3454 
3455          default:
3456             png_error(pm->this.pread,
3457                "unexpected colour type in sBIT modification");
3458       }
3459 
3460       png_save_uint_32(pm->buffer, cb);
3461       png_save_uint_32(pm->buffer+4, CHUNK_sBIT);
3462 
3463       while (cb > 0)
3464          (pm->buffer+8)[--cb] = sbit;
3465 
3466       return 1;
3467    }
3468    else if (!add)
3469    {
3470       /* Remove the sBIT chunk */
3471       pm->buffer_count = pm->buffer_position = 0;
3472       return 1;
3473    }
3474    else
3475       return 0; /* do nothing */
3476 }
3477 
3478 static void
sbit_modification_init(sbit_modification * me,png_modifier * pm,png_byte sbit)3479 sbit_modification_init(sbit_modification *me, png_modifier *pm, png_byte sbit)
3480 {
3481    modification_init(&me->this);
3482    me->this.chunk = CHUNK_sBIT;
3483    me->this.modify_fn = sbit_modify;
3484    me->this.add = CHUNK_PLTE;
3485    me->sbit = sbit;
3486    me->this.next = pm->modifications;
3487    pm->modifications = &me->this;
3488 }
3489 #endif /* PNG_READ_GAMMA_SUPPORTED */
3490 #endif /* PNG_READ_TRANSFORMS_SUPPORTED */
3491 
3492 /***************************** STANDARD PNG FILES *****************************/
3493 /* Standard files - write and save standard files. */
3494 /* There are two basic forms of standard images.  Those which attempt to have
3495  * all the possible pixel values (not possible for 16bpp images, but a range of
3496  * values are produced) and those which have a range of image sizes.  The former
3497  * are used for testing transforms, in particular gamma correction and bit
3498  * reduction and increase.  The latter are reserved for testing the behavior of
3499  * libpng with respect to 'odd' image sizes - particularly small images where
3500  * rows become 1 byte and interlace passes disappear.
3501  *
3502  * The first, most useful, set are the 'transform' images, the second set of
3503  * small images are the 'size' images.
3504  *
3505  * The transform files are constructed with rows which fit into a 1024 byte row
3506  * buffer.  This makes allocation easier below.  Further regardless of the file
3507  * format every row has 128 pixels (giving 1024 bytes for 64bpp formats).
3508  *
3509  * Files are stored with no gAMA or sBIT chunks, with a PLTE only when needed
3510  * and with an ID derived from the colour type, bit depth and interlace type
3511  * as above (FILEID).  The width (128) and height (variable) are not stored in
3512  * the FILEID - instead the fields are set to 0, indicating a transform file.
3513  *
3514  * The size files ar constructed with rows a maximum of 128 bytes wide, allowing
3515  * a maximum width of 16 pixels (for the 64bpp case.)  They also have a maximum
3516  * height of 16 rows.  The width and height are stored in the FILEID and, being
3517  * non-zero, indicate a size file.
3518  *
3519  * Because the PNG filter code is typically the largest CPU consumer within
3520  * libpng itself there is a tendency to attempt to optimize it.  This results in
3521  * special case code which needs to be validated.  To cause this to happen the
3522  * 'size' images are made to use each possible filter, in so far as this is
3523  * possible for smaller images.
3524  *
3525  * For palette image (colour type 3) multiple transform images are stored with
3526  * the same bit depth to allow testing of more colour combinations -
3527  * particularly important for testing the gamma code because libpng uses a
3528  * different code path for palette images.  For size images a single palette is
3529  * used.
3530  */
3531 
3532 /* Make a 'standard' palette.  Because there are only 256 entries in a palette
3533  * (maximum) this actually makes a random palette in the hope that enough tests
3534  * will catch enough errors.  (Note that the same palette isn't produced every
3535  * time for the same test - it depends on what previous tests have been run -
3536  * but a given set of arguments to pngvalid will always produce the same palette
3537  * at the same test!  This is why pseudo-random number generators are useful for
3538  * testing.)
3539  *
3540  * The store must be open for write when this is called, otherwise an internal
3541  * error will occur.  This routine contains its own magic number seed, so the
3542  * palettes generated don't change if there are intervening errors (changing the
3543  * calls to the store_mark seed.)
3544  */
3545 static store_palette_entry *
make_standard_palette(png_store * ps,int npalette,int do_tRNS)3546 make_standard_palette(png_store* ps, int npalette, int do_tRNS)
3547 {
3548    static png_uint_32 palette_seed[2] = { 0x87654321, 9 };
3549 
3550    int i = 0;
3551    png_byte values[256][4];
3552 
3553    /* Always put in black and white plus the six primary and secondary colors.
3554     */
3555    for (; i<8; ++i)
3556    {
3557       values[i][1] = (png_byte)((i&1) ? 255U : 0U);
3558       values[i][2] = (png_byte)((i&2) ? 255U : 0U);
3559       values[i][3] = (png_byte)((i&4) ? 255U : 0U);
3560    }
3561 
3562    /* Then add 62 grays (one quarter of the remaining 256 slots). */
3563    {
3564       int j = 0;
3565       png_byte random_bytes[4];
3566       png_byte need[256];
3567 
3568       need[0] = 0; /*got black*/
3569       memset(need+1, 1, (sizeof need)-2); /*need these*/
3570       need[255] = 0; /*but not white*/
3571 
3572       while (i<70)
3573       {
3574          png_byte b;
3575 
3576          if (j==0)
3577          {
3578             make_four_random_bytes(palette_seed, random_bytes);
3579             j = 4;
3580          }
3581 
3582          b = random_bytes[--j];
3583          if (need[b])
3584          {
3585             values[i][1] = b;
3586             values[i][2] = b;
3587             values[i++][3] = b;
3588          }
3589       }
3590    }
3591 
3592    /* Finally add 192 colors at random - don't worry about matches to things we
3593     * already have, chance is less than 1/65536.  Don't worry about grays,
3594     * chance is the same, so we get a duplicate or extra gray less than 1 time
3595     * in 170.
3596     */
3597    for (; i<256; ++i)
3598       make_four_random_bytes(palette_seed, values[i]);
3599 
3600    /* Fill in the alpha values in the first byte.  Just use all possible values
3601     * (0..255) in an apparently random order:
3602     */
3603    {
3604       store_palette_entry *palette;
3605       png_byte selector[4];
3606 
3607       make_four_random_bytes(palette_seed, selector);
3608 
3609       if (do_tRNS)
3610          for (i=0; i<256; ++i)
3611             values[i][0] = (png_byte)(i ^ selector[0]);
3612 
3613       else
3614          for (i=0; i<256; ++i)
3615             values[i][0] = 255; /* no transparency/tRNS chunk */
3616 
3617       /* 'values' contains 256 ARGB values, but we only need 'npalette'.
3618        * 'npalette' will always be a power of 2: 2, 4, 16 or 256.  In the low
3619        * bit depth cases select colors at random, else it is difficult to have
3620        * a set of low bit depth palette test with any chance of a reasonable
3621        * range of colors.  Do this by randomly permuting values into the low
3622        * 'npalette' entries using an XOR mask generated here.  This also
3623        * permutes the npalette == 256 case in a potentially useful way (there is
3624        * no relationship between palette index and the color value therein!)
3625        */
3626       palette = store_write_palette(ps, npalette);
3627 
3628       for (i=0; i<npalette; ++i)
3629       {
3630          palette[i].alpha = values[i ^ selector[1]][0];
3631          palette[i].red   = values[i ^ selector[1]][1];
3632          palette[i].green = values[i ^ selector[1]][2];
3633          palette[i].blue  = values[i ^ selector[1]][3];
3634       }
3635 
3636       return palette;
3637    }
3638 }
3639 
3640 /* Initialize a standard palette on a write stream.  The 'do_tRNS' argument
3641  * indicates whether or not to also set the tRNS chunk.
3642  */
3643 /* TODO: the png_structp here can probably be 'const' in the future */
3644 static void
init_standard_palette(png_store * ps,png_structp pp,png_infop pi,int npalette,int do_tRNS)3645 init_standard_palette(png_store *ps, png_structp pp, png_infop pi, int npalette,
3646    int do_tRNS)
3647 {
3648    store_palette_entry *ppal = make_standard_palette(ps, npalette, do_tRNS);
3649 
3650    {
3651       int i;
3652       png_color palette[256];
3653 
3654       /* Set all entries to detect overread errors. */
3655       for (i=0; i<npalette; ++i)
3656       {
3657          palette[i].red = ppal[i].red;
3658          palette[i].green = ppal[i].green;
3659          palette[i].blue = ppal[i].blue;
3660       }
3661 
3662       /* Just in case fill in the rest with detectable values: */
3663       for (; i<256; ++i)
3664          palette[i].red = palette[i].green = palette[i].blue = 42;
3665 
3666       png_set_PLTE(pp, pi, palette, npalette);
3667    }
3668 
3669    if (do_tRNS)
3670    {
3671       int i, j;
3672       png_byte tRNS[256];
3673 
3674       /* Set all the entries, but skip trailing opaque entries */
3675       for (i=j=0; i<npalette; ++i)
3676          if ((tRNS[i] = ppal[i].alpha) < 255)
3677             j = i+1;
3678 
3679       /* Fill in the remainder with a detectable value: */
3680       for (; i<256; ++i)
3681          tRNS[i] = 24;
3682 
3683 #ifdef PNG_WRITE_tRNS_SUPPORTED
3684       if (j > 0)
3685          png_set_tRNS(pp, pi, tRNS, j, 0/*color*/);
3686 #endif
3687    }
3688 }
3689 
3690 #ifdef PNG_WRITE_tRNS_SUPPORTED
3691 static void
set_random_tRNS(png_structp pp,png_infop pi,const png_byte colour_type,const int bit_depth)3692 set_random_tRNS(png_structp pp, png_infop pi, const png_byte colour_type,
3693    const int bit_depth)
3694 {
3695    /* To make this useful the tRNS color needs to match at least one pixel.
3696     * Random values are fine for gray, including the 16-bit case where we know
3697     * that the test image contains all the gray values.  For RGB we need more
3698     * method as only 65536 different RGB values are generated.
3699     */
3700    png_color_16 tRNS;
3701    const png_uint_16 mask = (png_uint_16)((1U << bit_depth)-1);
3702 
3703    R8(tRNS); /* makes unset fields random */
3704 
3705    if (colour_type & 2/*RGB*/)
3706    {
3707       if (bit_depth == 8)
3708       {
3709          tRNS.red = random_u16();
3710          tRNS.green = random_u16();
3711          tRNS.blue = tRNS.red ^ tRNS.green;
3712          tRNS.red &= mask;
3713          tRNS.green &= mask;
3714          tRNS.blue &= mask;
3715       }
3716 
3717       else /* bit_depth == 16 */
3718       {
3719          tRNS.red = random_u16();
3720          tRNS.green = (png_uint_16)(tRNS.red * 257);
3721          tRNS.blue = (png_uint_16)(tRNS.green * 17);
3722       }
3723    }
3724 
3725    else
3726    {
3727       tRNS.gray = random_u16();
3728       tRNS.gray &= mask;
3729    }
3730 
3731    png_set_tRNS(pp, pi, NULL, 0, &tRNS);
3732 }
3733 #endif
3734 
3735 /* The number of passes is related to the interlace type. There was no libpng
3736  * API to determine this prior to 1.5, so we need an inquiry function:
3737  */
3738 static int
npasses_from_interlace_type(png_const_structp pp,int interlace_type)3739 npasses_from_interlace_type(png_const_structp pp, int interlace_type)
3740 {
3741    switch (interlace_type)
3742    {
3743    default:
3744       png_error(pp, "invalid interlace type");
3745 
3746    case PNG_INTERLACE_NONE:
3747       return 1;
3748 
3749    case PNG_INTERLACE_ADAM7:
3750       return PNG_INTERLACE_ADAM7_PASSES;
3751    }
3752 }
3753 
3754 static unsigned int
bit_size(png_const_structp pp,png_byte colour_type,png_byte bit_depth)3755 bit_size(png_const_structp pp, png_byte colour_type, png_byte bit_depth)
3756 {
3757    switch (colour_type)
3758    {
3759       default: png_error(pp, "invalid color type");
3760 
3761       case 0:  return bit_depth;
3762 
3763       case 2:  return 3*bit_depth;
3764 
3765       case 3:  return bit_depth;
3766 
3767       case 4:  return 2*bit_depth;
3768 
3769       case 6:  return 4*bit_depth;
3770    }
3771 }
3772 
3773 #define TRANSFORM_WIDTH  128U
3774 #define TRANSFORM_ROWMAX (TRANSFORM_WIDTH*8U)
3775 #define SIZE_ROWMAX (16*8U) /* 16 pixels, max 8 bytes each - 128 bytes */
3776 #define STANDARD_ROWMAX TRANSFORM_ROWMAX /* The larger of the two */
3777 #define SIZE_HEIGHTMAX 16 /* Maximum range of size images */
3778 
3779 static size_t
transform_rowsize(png_const_structp pp,png_byte colour_type,png_byte bit_depth)3780 transform_rowsize(png_const_structp pp, png_byte colour_type,
3781    png_byte bit_depth)
3782 {
3783    return (TRANSFORM_WIDTH * bit_size(pp, colour_type, bit_depth)) / 8;
3784 }
3785 
3786 /* transform_width(pp, colour_type, bit_depth) current returns the same number
3787  * every time, so just use a macro:
3788  */
3789 #define transform_width(pp, colour_type, bit_depth) TRANSFORM_WIDTH
3790 
3791 static png_uint_32
transform_height(png_const_structp pp,png_byte colour_type,png_byte bit_depth)3792 transform_height(png_const_structp pp, png_byte colour_type, png_byte bit_depth)
3793 {
3794    switch (bit_size(pp, colour_type, bit_depth))
3795    {
3796       case 1:
3797       case 2:
3798       case 4:
3799          return 1;   /* Total of 128 pixels */
3800 
3801       case 8:
3802          return 2;   /* Total of 256 pixels/bytes */
3803 
3804       case 16:
3805          return 512; /* Total of 65536 pixels */
3806 
3807       case 24:
3808       case 32:
3809          return 512; /* 65536 pixels */
3810 
3811       case 48:
3812       case 64:
3813          return 2048;/* 4 x 65536 pixels. */
3814 #        define TRANSFORM_HEIGHTMAX 2048
3815 
3816       default:
3817          return 0;   /* Error, will be caught later */
3818    }
3819 }
3820 
3821 #ifdef PNG_READ_SUPPORTED
3822 /* The following can only be defined here, now we have the definitions
3823  * of the transform image sizes.
3824  */
3825 static png_uint_32
standard_width(png_const_structp pp,png_uint_32 id)3826 standard_width(png_const_structp pp, png_uint_32 id)
3827 {
3828    png_uint_32 width = WIDTH_FROM_ID(id);
3829    UNUSED(pp)
3830 
3831    if (width == 0)
3832       width = transform_width(pp, COL_FROM_ID(id), DEPTH_FROM_ID(id));
3833 
3834    return width;
3835 }
3836 
3837 static png_uint_32
standard_height(png_const_structp pp,png_uint_32 id)3838 standard_height(png_const_structp pp, png_uint_32 id)
3839 {
3840    png_uint_32 height = HEIGHT_FROM_ID(id);
3841 
3842    if (height == 0)
3843       height = transform_height(pp, COL_FROM_ID(id), DEPTH_FROM_ID(id));
3844 
3845    return height;
3846 }
3847 
3848 static png_uint_32
standard_rowsize(png_const_structp pp,png_uint_32 id)3849 standard_rowsize(png_const_structp pp, png_uint_32 id)
3850 {
3851    png_uint_32 width = standard_width(pp, id);
3852 
3853    /* This won't overflow: */
3854    width *= bit_size(pp, COL_FROM_ID(id), DEPTH_FROM_ID(id));
3855    return (width + 7) / 8;
3856 }
3857 #endif /* PNG_READ_SUPPORTED */
3858 
3859 static void
transform_row(png_const_structp pp,png_byte buffer[TRANSFORM_ROWMAX],png_byte colour_type,png_byte bit_depth,png_uint_32 y)3860 transform_row(png_const_structp pp, png_byte buffer[TRANSFORM_ROWMAX],
3861    png_byte colour_type, png_byte bit_depth, png_uint_32 y)
3862 {
3863    png_uint_32 v = y << 7;
3864    png_uint_32 i = 0;
3865 
3866    switch (bit_size(pp, colour_type, bit_depth))
3867    {
3868       case 1:
3869          while (i<128/8) buffer[i] = (png_byte)(v & 0xff), v += 17, ++i;
3870          return;
3871 
3872       case 2:
3873          while (i<128/4) buffer[i] = (png_byte)(v & 0xff), v += 33, ++i;
3874          return;
3875 
3876       case 4:
3877          while (i<128/2) buffer[i] = (png_byte)(v & 0xff), v += 65, ++i;
3878          return;
3879 
3880       case 8:
3881          /* 256 bytes total, 128 bytes in each row set as follows: */
3882          while (i<128) buffer[i] = (png_byte)(v & 0xff), ++v, ++i;
3883          return;
3884 
3885       case 16:
3886          /* Generate all 65536 pixel values in order, which includes the 8 bit
3887           * GA case as well as the 16 bit G case.
3888           */
3889          while (i<128)
3890          {
3891             buffer[2*i] = (png_byte)((v>>8) & 0xff);
3892             buffer[2*i+1] = (png_byte)(v & 0xff);
3893             ++v;
3894             ++i;
3895          }
3896 
3897          return;
3898 
3899       case 24:
3900          /* 65535 pixels, but rotate the values. */
3901          while (i<128)
3902          {
3903             /* Three bytes per pixel, r, g, b, make b by r^g */
3904             buffer[3*i+0] = (png_byte)((v >> 8) & 0xff);
3905             buffer[3*i+1] = (png_byte)(v & 0xff);
3906             buffer[3*i+2] = (png_byte)(((v >> 8) ^ v) & 0xff);
3907             ++v;
3908             ++i;
3909          }
3910 
3911          return;
3912 
3913       case 32:
3914          /* 65535 pixels, r, g, b, a; just replicate */
3915          while (i<128)
3916          {
3917             buffer[4*i+0] = (png_byte)((v >> 8) & 0xff);
3918             buffer[4*i+1] = (png_byte)(v & 0xff);
3919             buffer[4*i+2] = (png_byte)((v >> 8) & 0xff);
3920             buffer[4*i+3] = (png_byte)(v & 0xff);
3921             ++v;
3922             ++i;
3923          }
3924 
3925          return;
3926 
3927       case 48:
3928          /* y is maximum 2047, giving 4x65536 pixels, make 'r' increase by 1 at
3929           * each pixel, g increase by 257 (0x101) and 'b' by 0x1111:
3930           */
3931          while (i<128)
3932          {
3933             png_uint_32 t = v++;
3934             buffer[6*i+0] = (png_byte)((t >> 8) & 0xff);
3935             buffer[6*i+1] = (png_byte)(t & 0xff);
3936             t *= 257;
3937             buffer[6*i+2] = (png_byte)((t >> 8) & 0xff);
3938             buffer[6*i+3] = (png_byte)(t & 0xff);
3939             t *= 17;
3940             buffer[6*i+4] = (png_byte)((t >> 8) & 0xff);
3941             buffer[6*i+5] = (png_byte)(t & 0xff);
3942             ++i;
3943          }
3944 
3945          return;
3946 
3947       case 64:
3948          /* As above in the 32 bit case. */
3949          while (i<128)
3950          {
3951             png_uint_32 t = v++;
3952             buffer[8*i+0] = (png_byte)((t >> 8) & 0xff);
3953             buffer[8*i+1] = (png_byte)(t & 0xff);
3954             buffer[8*i+4] = (png_byte)((t >> 8) & 0xff);
3955             buffer[8*i+5] = (png_byte)(t & 0xff);
3956             t *= 257;
3957             buffer[8*i+2] = (png_byte)((t >> 8) & 0xff);
3958             buffer[8*i+3] = (png_byte)(t & 0xff);
3959             buffer[8*i+6] = (png_byte)((t >> 8) & 0xff);
3960             buffer[8*i+7] = (png_byte)(t & 0xff);
3961             ++i;
3962          }
3963          return;
3964 
3965       default:
3966          break;
3967    }
3968 
3969    png_error(pp, "internal error");
3970 }
3971 
3972 /* This is just to do the right cast - could be changed to a function to check
3973  * 'bd' but there isn't much point.
3974  */
3975 #define DEPTH(bd) ((png_byte)(1U << (bd)))
3976 
3977 /* This is just a helper for compiling on minimal systems with no write
3978  * interlacing support.  If there is no write interlacing we can't generate test
3979  * cases with interlace:
3980  */
3981 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
3982 #  define INTERLACE_LAST PNG_INTERLACE_LAST
3983 #  define check_interlace_type(type) ((void)(type))
3984 #  define set_write_interlace_handling(pp,type) png_set_interlace_handling(pp)
3985 #  define do_own_interlace 0
3986 #elif PNG_LIBPNG_VER < 10700
3987 #  define set_write_interlace_handling(pp,type) (1)
3988 static void
check_interlace_type(int const interlace_type)3989 check_interlace_type(int const interlace_type)
3990 {
3991    /* Prior to 1.7.0 libpng does not support the write of an interlaced image
3992     * unless PNG_WRITE_INTERLACING_SUPPORTED, even with do_interlace so the
3993     * code here does the pixel interlace itself, so:
3994     */
3995    if (interlace_type != PNG_INTERLACE_NONE)
3996    {
3997       /* This is an internal error - --interlace tests should be skipped, not
3998        * attempted.
3999        */
4000       fprintf(stderr, "pngvalid: no interlace support\n");
4001       exit(99);
4002    }
4003 }
4004 #  define INTERLACE_LAST (PNG_INTERLACE_NONE+1)
4005 #  define do_own_interlace 0
4006 #else /* libpng 1.7+ */
4007 #  define set_write_interlace_handling(pp,type)\
4008       npasses_from_interlace_type(pp,type)
4009 #  define check_interlace_type(type) ((void)(type))
4010 #  define INTERLACE_LAST PNG_INTERLACE_LAST
4011 #  define do_own_interlace 1
4012 #endif /* WRITE_INTERLACING tests */
4013 
4014 #define CAN_WRITE_INTERLACE\
4015    PNG_LIBPNG_VER >= 10700 || defined PNG_WRITE_INTERLACING_SUPPORTED
4016 
4017 /* Do the same thing for read interlacing; this controls whether read tests do
4018  * their own de-interlace or use libpng.
4019  */
4020 #ifdef PNG_READ_INTERLACING_SUPPORTED
4021 #  define do_read_interlace 0
4022 #else /* no libpng read interlace support */
4023 #  define do_read_interlace 1
4024 #endif
4025 /* The following two routines use the PNG interlace support macros from
4026  * png.h to interlace or deinterlace rows.
4027  */
4028 static void
interlace_row(png_bytep buffer,png_const_bytep imageRow,unsigned int pixel_size,png_uint_32 w,int pass,int littleendian)4029 interlace_row(png_bytep buffer, png_const_bytep imageRow,
4030    unsigned int pixel_size, png_uint_32 w, int pass, int littleendian)
4031 {
4032    png_uint_32 xin, xout, xstep;
4033 
4034    /* Note that this can, trivially, be optimized to a memcpy on pass 7, the
4035     * code is presented this way to make it easier to understand.  In practice
4036     * consult the code in the libpng source to see other ways of doing this.
4037     *
4038     * It is OK for buffer and imageRow to be identical, because 'xin' moves
4039     * faster than 'xout' and we copy up.
4040     */
4041    xin = PNG_PASS_START_COL(pass);
4042    xstep = 1U<<PNG_PASS_COL_SHIFT(pass);
4043 
4044    for (xout=0; xin<w; xin+=xstep)
4045    {
4046       pixel_copy(buffer, xout, imageRow, xin, pixel_size, littleendian);
4047       ++xout;
4048    }
4049 }
4050 
4051 #ifdef PNG_READ_SUPPORTED
4052 static void
deinterlace_row(png_bytep buffer,png_const_bytep row,unsigned int pixel_size,png_uint_32 w,int pass,int littleendian)4053 deinterlace_row(png_bytep buffer, png_const_bytep row,
4054    unsigned int pixel_size, png_uint_32 w, int pass, int littleendian)
4055 {
4056    /* The inverse of the above, 'row' is part of row 'y' of the output image,
4057     * in 'buffer'.  The image is 'w' wide and this is pass 'pass', distribute
4058     * the pixels of row into buffer and return the number written (to allow
4059     * this to be checked).
4060     */
4061    png_uint_32 xin, xout, xstep;
4062 
4063    xout = PNG_PASS_START_COL(pass);
4064    xstep = 1U<<PNG_PASS_COL_SHIFT(pass);
4065 
4066    for (xin=0; xout<w; xout+=xstep)
4067    {
4068       pixel_copy(buffer, xout, row, xin, pixel_size, littleendian);
4069       ++xin;
4070    }
4071 }
4072 #endif /* PNG_READ_SUPPORTED */
4073 
4074 /* Make a standardized image given an image colour type, bit depth and
4075  * interlace type.  The standard images have a very restricted range of
4076  * rows and heights and are used for testing transforms rather than image
4077  * layout details.  See make_size_images below for a way to make images
4078  * that test odd sizes along with the libpng interlace handling.
4079  */
4080 #ifdef PNG_WRITE_FILTER_SUPPORTED
4081 static void
choose_random_filter(png_structp pp,int start)4082 choose_random_filter(png_structp pp, int start)
4083 {
4084    /* Choose filters randomly except that on the very first row ensure that
4085     * there is at least one previous row filter.
4086     */
4087    int filters = PNG_ALL_FILTERS & random_mod(256U);
4088 
4089    /* There may be no filters; skip the setting. */
4090    if (filters != 0)
4091    {
4092       if (start && filters < PNG_FILTER_UP)
4093          filters |= PNG_FILTER_UP;
4094 
4095       png_set_filter(pp, 0/*method*/, filters);
4096    }
4097 }
4098 #else /* !WRITE_FILTER */
4099 #  define choose_random_filter(pp, start) ((void)0)
4100 #endif /* !WRITE_FILTER */
4101 
4102 static void
make_transform_image(png_store * const ps,png_byte const colour_type,png_byte const bit_depth,unsigned int palette_number,int interlace_type,png_const_charp name)4103 make_transform_image(png_store* const ps, png_byte const colour_type,
4104     png_byte const bit_depth, unsigned int palette_number,
4105     int interlace_type, png_const_charp name)
4106 {
4107    context(ps, fault);
4108 
4109    check_interlace_type(interlace_type);
4110 
4111    Try
4112    {
4113       png_infop pi;
4114       png_structp pp = set_store_for_write(ps, &pi, name);
4115       png_uint_32 h, w;
4116 
4117       /* In the event of a problem return control to the Catch statement below
4118        * to do the clean up - it is not possible to 'return' directly from a Try
4119        * block.
4120        */
4121       if (pp == NULL)
4122          Throw ps;
4123 
4124       w = transform_width(pp, colour_type, bit_depth);
4125       h = transform_height(pp, colour_type, bit_depth);
4126 
4127       png_set_IHDR(pp, pi, w, h, bit_depth, colour_type, interlace_type,
4128          PNG_COMPRESSION_TYPE_BASE, PNG_FILTER_TYPE_BASE);
4129 
4130 #ifdef PNG_TEXT_SUPPORTED
4131 #  if defined(PNG_READ_zTXt_SUPPORTED) && defined(PNG_WRITE_zTXt_SUPPORTED)
4132 #     define TEXT_COMPRESSION PNG_TEXT_COMPRESSION_zTXt
4133 #  else
4134 #     define TEXT_COMPRESSION PNG_TEXT_COMPRESSION_NONE
4135 #  endif
4136       {
4137          static char key[] = "image name"; /* must be writeable */
4138          size_t pos;
4139          png_text text;
4140          char copy[FILE_NAME_SIZE];
4141 
4142          /* Use a compressed text string to test the correct interaction of text
4143           * compression and IDAT compression.
4144           */
4145          text.compression = TEXT_COMPRESSION;
4146          text.key = key;
4147          /* Yuck: the text must be writable! */
4148          pos = safecat(copy, sizeof copy, 0, ps->wname);
4149          text.text = copy;
4150          text.text_length = pos;
4151          text.itxt_length = 0;
4152          text.lang = 0;
4153          text.lang_key = 0;
4154 
4155          png_set_text(pp, pi, &text, 1);
4156       }
4157 #endif
4158 
4159       if (colour_type == 3) /* palette */
4160          init_standard_palette(ps, pp, pi, 1U << bit_depth, 1/*do tRNS*/);
4161 
4162 #     ifdef PNG_WRITE_tRNS_SUPPORTED
4163          else if (palette_number)
4164             set_random_tRNS(pp, pi, colour_type, bit_depth);
4165 #     endif
4166 
4167       png_write_info(pp, pi);
4168 
4169       if (png_get_rowbytes(pp, pi) !=
4170           transform_rowsize(pp, colour_type, bit_depth))
4171          png_error(pp, "transform row size incorrect");
4172 
4173       else
4174       {
4175          /* Somewhat confusingly this must be called *after* png_write_info
4176           * because if it is called before, the information in *pp has not been
4177           * updated to reflect the interlaced image.
4178           */
4179          int npasses = set_write_interlace_handling(pp, interlace_type);
4180          int pass;
4181 
4182          if (npasses != npasses_from_interlace_type(pp, interlace_type))
4183             png_error(pp, "write: png_set_interlace_handling failed");
4184 
4185          for (pass=0; pass<npasses; ++pass)
4186          {
4187             png_uint_32 y;
4188 
4189             /* do_own_interlace is a pre-defined boolean (a #define) which is
4190              * set if we have to work out the interlaced rows here.
4191              */
4192             for (y=0; y<h; ++y)
4193             {
4194                png_byte buffer[TRANSFORM_ROWMAX];
4195 
4196                transform_row(pp, buffer, colour_type, bit_depth, y);
4197 
4198 #              if do_own_interlace
4199                   /* If do_own_interlace *and* the image is interlaced we need a
4200                    * reduced interlace row; this may be reduced to empty.
4201                    */
4202                   if (interlace_type == PNG_INTERLACE_ADAM7)
4203                   {
4204                      /* The row must not be written if it doesn't exist, notice
4205                       * that there are two conditions here, either the row isn't
4206                       * ever in the pass or the row would be but isn't wide
4207                       * enough to contribute any pixels.  In fact the wPass test
4208                       * can be used to skip the whole y loop in this case.
4209                       */
4210                      if (PNG_ROW_IN_INTERLACE_PASS(y, pass) &&
4211                          PNG_PASS_COLS(w, pass) > 0)
4212                         interlace_row(buffer, buffer,
4213                               bit_size(pp, colour_type, bit_depth), w, pass,
4214                               0/*data always bigendian*/);
4215                      else
4216                         continue;
4217                   }
4218 #              endif /* do_own_interlace */
4219 
4220                choose_random_filter(pp, pass == 0 && y == 0);
4221                png_write_row(pp, buffer);
4222             }
4223          }
4224       }
4225 
4226 #ifdef PNG_TEXT_SUPPORTED
4227       {
4228          static char key[] = "end marker";
4229          static char comment[] = "end";
4230          png_text text;
4231 
4232          /* Use a compressed text string to test the correct interaction of text
4233           * compression and IDAT compression.
4234           */
4235          text.compression = TEXT_COMPRESSION;
4236          text.key = key;
4237          text.text = comment;
4238          text.text_length = (sizeof comment)-1;
4239          text.itxt_length = 0;
4240          text.lang = 0;
4241          text.lang_key = 0;
4242 
4243          png_set_text(pp, pi, &text, 1);
4244       }
4245 #endif
4246 
4247       png_write_end(pp, pi);
4248 
4249       /* And store this under the appropriate id, then clean up. */
4250       store_storefile(ps, FILEID(colour_type, bit_depth, palette_number,
4251          interlace_type, 0, 0, 0));
4252 
4253       store_write_reset(ps);
4254    }
4255 
4256    Catch(fault)
4257    {
4258       /* Use the png_store returned by the exception. This may help the compiler
4259        * because 'ps' is not used in this branch of the setjmp.  Note that fault
4260        * and ps will always be the same value.
4261        */
4262       store_write_reset(fault);
4263    }
4264 }
4265 
4266 static void
make_transform_images(png_modifier * pm)4267 make_transform_images(png_modifier *pm)
4268 {
4269    png_byte colour_type = 0;
4270    png_byte bit_depth = 0;
4271    unsigned int palette_number = 0;
4272 
4273    /* This is in case of errors. */
4274    safecat(pm->this.test, sizeof pm->this.test, 0, "make standard images");
4275 
4276    /* Use next_format to enumerate all the combinations we test, including
4277     * generating multiple low bit depth palette images. Non-A images (palette
4278     * and direct) are created with and without tRNS chunks.
4279     */
4280    while (next_format(&colour_type, &bit_depth, &palette_number, 1, 1))
4281    {
4282       int interlace_type;
4283 
4284       for (interlace_type = PNG_INTERLACE_NONE;
4285            interlace_type < INTERLACE_LAST; ++interlace_type)
4286       {
4287          char name[FILE_NAME_SIZE];
4288 
4289          standard_name(name, sizeof name, 0, colour_type, bit_depth,
4290             palette_number, interlace_type, 0, 0, do_own_interlace);
4291          make_transform_image(&pm->this, colour_type, bit_depth, palette_number,
4292             interlace_type, name);
4293       }
4294    }
4295 }
4296 
4297 /* Build a single row for the 'size' test images; this fills in only the
4298  * first bit_width bits of the sample row.
4299  */
4300 static void
size_row(png_byte buffer[SIZE_ROWMAX],png_uint_32 bit_width,png_uint_32 y)4301 size_row(png_byte buffer[SIZE_ROWMAX], png_uint_32 bit_width, png_uint_32 y)
4302 {
4303    /* height is in the range 1 to 16, so: */
4304    y = ((y & 1) << 7) + ((y & 2) << 6) + ((y & 4) << 5) + ((y & 8) << 4);
4305    /* the following ensures bits are set in small images: */
4306    y ^= 0xA5;
4307 
4308    while (bit_width >= 8)
4309       *buffer++ = (png_byte)y++, bit_width -= 8;
4310 
4311    /* There may be up to 7 remaining bits, these go in the most significant
4312     * bits of the byte.
4313     */
4314    if (bit_width > 0)
4315    {
4316       png_uint_32 mask = (1U<<(8-bit_width))-1;
4317       *buffer = (png_byte)((*buffer & mask) | (y & ~mask));
4318    }
4319 }
4320 
4321 static void
make_size_image(png_store * const ps,png_byte const colour_type,png_byte const bit_depth,int const interlace_type,png_uint_32 const w,png_uint_32 const h,int const do_interlace)4322 make_size_image(png_store* const ps, png_byte const colour_type,
4323     png_byte const bit_depth, int const interlace_type,
4324     png_uint_32 const w, png_uint_32 const h,
4325     int const do_interlace)
4326 {
4327    context(ps, fault);
4328 
4329    check_interlace_type(interlace_type);
4330 
4331    Try
4332    {
4333       png_infop pi;
4334       png_structp pp;
4335       unsigned int pixel_size;
4336 
4337       /* Make a name and get an appropriate id for the store: */
4338       char name[FILE_NAME_SIZE];
4339       const png_uint_32 id = FILEID(colour_type, bit_depth, 0/*palette*/,
4340          interlace_type, w, h, do_interlace);
4341 
4342       standard_name_from_id(name, sizeof name, 0, id);
4343       pp = set_store_for_write(ps, &pi, name);
4344 
4345       /* In the event of a problem return control to the Catch statement below
4346        * to do the clean up - it is not possible to 'return' directly from a Try
4347        * block.
4348        */
4349       if (pp == NULL)
4350          Throw ps;
4351 
4352       png_set_IHDR(pp, pi, w, h, bit_depth, colour_type, interlace_type,
4353          PNG_COMPRESSION_TYPE_BASE, PNG_FILTER_TYPE_BASE);
4354 
4355 #ifdef PNG_TEXT_SUPPORTED
4356       {
4357          static char key[] = "image name"; /* must be writeable */
4358          size_t pos;
4359          png_text text;
4360          char copy[FILE_NAME_SIZE];
4361 
4362          /* Use a compressed text string to test the correct interaction of text
4363           * compression and IDAT compression.
4364           */
4365          text.compression = TEXT_COMPRESSION;
4366          text.key = key;
4367          /* Yuck: the text must be writable! */
4368          pos = safecat(copy, sizeof copy, 0, ps->wname);
4369          text.text = copy;
4370          text.text_length = pos;
4371          text.itxt_length = 0;
4372          text.lang = 0;
4373          text.lang_key = 0;
4374 
4375          png_set_text(pp, pi, &text, 1);
4376       }
4377 #endif
4378 
4379       if (colour_type == 3) /* palette */
4380          init_standard_palette(ps, pp, pi, 1U << bit_depth, 0/*do tRNS*/);
4381 
4382       png_write_info(pp, pi);
4383 
4384       /* Calculate the bit size, divide by 8 to get the byte size - this won't
4385        * overflow because we know the w values are all small enough even for
4386        * a system where 'unsigned int' is only 16 bits.
4387        */
4388       pixel_size = bit_size(pp, colour_type, bit_depth);
4389       if (png_get_rowbytes(pp, pi) != ((w * pixel_size) + 7) / 8)
4390          png_error(pp, "size row size incorrect");
4391 
4392       else
4393       {
4394          int npasses = npasses_from_interlace_type(pp, interlace_type);
4395          png_uint_32 y;
4396          int pass;
4397          png_byte image[16][SIZE_ROWMAX];
4398 
4399          /* To help consistent error detection make the parts of this buffer
4400           * that aren't set below all '1':
4401           */
4402          memset(image, 0xff, sizeof image);
4403 
4404          if (!do_interlace &&
4405              npasses != set_write_interlace_handling(pp, interlace_type))
4406             png_error(pp, "write: png_set_interlace_handling failed");
4407 
4408          /* Prepare the whole image first to avoid making it 7 times: */
4409          for (y=0; y<h; ++y)
4410             size_row(image[y], w * pixel_size, y);
4411 
4412          for (pass=0; pass<npasses; ++pass)
4413          {
4414             /* The following two are for checking the macros: */
4415             const png_uint_32 wPass = PNG_PASS_COLS(w, pass);
4416 
4417             /* If do_interlace is set we don't call png_write_row for every
4418              * row because some of them are empty.  In fact, for a 1x1 image,
4419              * most of them are empty!
4420              */
4421             for (y=0; y<h; ++y)
4422             {
4423                png_const_bytep row = image[y];
4424                png_byte tempRow[SIZE_ROWMAX];
4425 
4426                /* If do_interlace *and* the image is interlaced we
4427                 * need a reduced interlace row; this may be reduced
4428                 * to empty.
4429                 */
4430                if (do_interlace && interlace_type == PNG_INTERLACE_ADAM7)
4431                {
4432                   /* The row must not be written if it doesn't exist, notice
4433                    * that there are two conditions here, either the row isn't
4434                    * ever in the pass or the row would be but isn't wide
4435                    * enough to contribute any pixels.  In fact the wPass test
4436                    * can be used to skip the whole y loop in this case.
4437                    */
4438                   if (PNG_ROW_IN_INTERLACE_PASS(y, pass) && wPass > 0)
4439                   {
4440                      /* Set to all 1's for error detection (libpng tends to
4441                       * set unset things to 0).
4442                       */
4443                      memset(tempRow, 0xff, sizeof tempRow);
4444                      interlace_row(tempRow, row, pixel_size, w, pass,
4445                            0/*data always bigendian*/);
4446                      row = tempRow;
4447                   }
4448                   else
4449                      continue;
4450                }
4451 
4452 #           ifdef PNG_WRITE_FILTER_SUPPORTED
4453                /* Only get to here if the row has some pixels in it, set the
4454                 * filters to 'all' for the very first row and thereafter to a
4455                 * single filter.  It isn't well documented, but png_set_filter
4456                 * does accept a filter number (per the spec) as well as a bit
4457                 * mask.
4458                 *
4459                 * The code now uses filters at random, except that on the first
4460                 * row of an image it ensures that a previous row filter is in
4461                 * the set so that libpng allocates the row buffer.
4462                 */
4463                {
4464                   int filters = 8 << random_mod(PNG_FILTER_VALUE_LAST);
4465 
4466                   if (pass == 0 && y == 0 &&
4467                       (filters < PNG_FILTER_UP || w == 1U))
4468                      filters |= PNG_FILTER_UP;
4469 
4470                   png_set_filter(pp, 0/*method*/, filters);
4471                }
4472 #           endif
4473 
4474                png_write_row(pp, row);
4475             }
4476          }
4477       }
4478 
4479 #ifdef PNG_TEXT_SUPPORTED
4480       {
4481          static char key[] = "end marker";
4482          static char comment[] = "end";
4483          png_text text;
4484 
4485          /* Use a compressed text string to test the correct interaction of text
4486           * compression and IDAT compression.
4487           */
4488          text.compression = TEXT_COMPRESSION;
4489          text.key = key;
4490          text.text = comment;
4491          text.text_length = (sizeof comment)-1;
4492          text.itxt_length = 0;
4493          text.lang = 0;
4494          text.lang_key = 0;
4495 
4496          png_set_text(pp, pi, &text, 1);
4497       }
4498 #endif
4499 
4500       png_write_end(pp, pi);
4501 
4502       /* And store this under the appropriate id, then clean up. */
4503       store_storefile(ps, id);
4504 
4505       store_write_reset(ps);
4506    }
4507 
4508    Catch(fault)
4509    {
4510       /* Use the png_store returned by the exception. This may help the compiler
4511        * because 'ps' is not used in this branch of the setjmp.  Note that fault
4512        * and ps will always be the same value.
4513        */
4514       store_write_reset(fault);
4515    }
4516 }
4517 
4518 static void
make_size(png_store * const ps,png_byte const colour_type,int bdlo,int const bdhi)4519 make_size(png_store* const ps, png_byte const colour_type, int bdlo,
4520     int const bdhi)
4521 {
4522    for (; bdlo <= bdhi; ++bdlo)
4523    {
4524       png_uint_32 width;
4525 
4526       for (width = 1; width <= 16; ++width)
4527       {
4528          png_uint_32 height;
4529 
4530          for (height = 1; height <= 16; ++height)
4531          {
4532             /* The four combinations of DIY interlace and interlace or not -
4533              * no interlace + DIY should be identical to no interlace with
4534              * libpng doing it.
4535              */
4536             make_size_image(ps, colour_type, DEPTH(bdlo), PNG_INTERLACE_NONE,
4537                width, height, 0);
4538             make_size_image(ps, colour_type, DEPTH(bdlo), PNG_INTERLACE_NONE,
4539                width, height, 1);
4540 #        ifdef PNG_WRITE_INTERLACING_SUPPORTED
4541             make_size_image(ps, colour_type, DEPTH(bdlo), PNG_INTERLACE_ADAM7,
4542                width, height, 0);
4543 #        endif
4544 #        if CAN_WRITE_INTERLACE
4545             /* 1.7.0 removes the hack that prevented app write of an interlaced
4546              * image if WRITE_INTERLACE was not supported
4547              */
4548             make_size_image(ps, colour_type, DEPTH(bdlo), PNG_INTERLACE_ADAM7,
4549                width, height, 1);
4550 #        endif
4551          }
4552       }
4553    }
4554 }
4555 
4556 static void
make_size_images(png_store * ps)4557 make_size_images(png_store *ps)
4558 {
4559    /* This is in case of errors. */
4560    safecat(ps->test, sizeof ps->test, 0, "make size images");
4561 
4562    /* Arguments are colour_type, low bit depth, high bit depth
4563     */
4564    make_size(ps, 0, 0, WRITE_BDHI);
4565    make_size(ps, 2, 3, WRITE_BDHI);
4566    make_size(ps, 3, 0, 3 /*palette: max 8 bits*/);
4567    make_size(ps, 4, 3, WRITE_BDHI);
4568    make_size(ps, 6, 3, WRITE_BDHI);
4569 }
4570 
4571 #ifdef PNG_READ_SUPPORTED
4572 /* Return a row based on image id and 'y' for checking: */
4573 static void
standard_row(png_const_structp pp,png_byte std[STANDARD_ROWMAX],png_uint_32 id,png_uint_32 y)4574 standard_row(png_const_structp pp, png_byte std[STANDARD_ROWMAX],
4575    png_uint_32 id, png_uint_32 y)
4576 {
4577    if (WIDTH_FROM_ID(id) == 0)
4578       transform_row(pp, std, COL_FROM_ID(id), DEPTH_FROM_ID(id), y);
4579    else
4580       size_row(std, WIDTH_FROM_ID(id) * bit_size(pp, COL_FROM_ID(id),
4581          DEPTH_FROM_ID(id)), y);
4582 }
4583 #endif /* PNG_READ_SUPPORTED */
4584 
4585 /* Tests - individual test cases */
4586 /* Like 'make_standard' but errors are deliberately introduced into the calls
4587  * to ensure that they get detected - it should not be possible to write an
4588  * invalid image with libpng!
4589  */
4590 /* TODO: the 'set' functions can probably all be made to take a
4591  * png_const_structp rather than a modifiable one.
4592  */
4593 #ifdef PNG_WARNINGS_SUPPORTED
4594 static void
sBIT0_error_fn(png_structp pp,png_infop pi)4595 sBIT0_error_fn(png_structp pp, png_infop pi)
4596 {
4597    /* 0 is invalid... */
4598    png_color_8 bad;
4599    bad.red = bad.green = bad.blue = bad.gray = bad.alpha = 0;
4600    png_set_sBIT(pp, pi, &bad);
4601 }
4602 
4603 static void
sBIT_error_fn(png_structp pp,png_infop pi)4604 sBIT_error_fn(png_structp pp, png_infop pi)
4605 {
4606    png_byte bit_depth;
4607    png_color_8 bad;
4608 
4609    if (png_get_color_type(pp, pi) == PNG_COLOR_TYPE_PALETTE)
4610       bit_depth = 8;
4611 
4612    else
4613       bit_depth = png_get_bit_depth(pp, pi);
4614 
4615    /* Now we know the bit depth we can easily generate an invalid sBIT entry */
4616    bad.red = bad.green = bad.blue = bad.gray = bad.alpha =
4617       (png_byte)(bit_depth+1);
4618    png_set_sBIT(pp, pi, &bad);
4619 }
4620 
4621 static const struct
4622 {
4623    void          (*fn)(png_structp, png_infop);
4624    const char *msg;
4625    unsigned int    warning :1; /* the error is a warning... */
4626 } error_test[] =
4627     {
4628        /* no warnings makes these errors undetectable prior to 1.7.0 */
4629        { sBIT0_error_fn, "sBIT(0): failed to detect error",
4630          PNG_LIBPNG_VER < 10700 },
4631 
4632        { sBIT_error_fn, "sBIT(too big): failed to detect error",
4633          PNG_LIBPNG_VER < 10700 },
4634     };
4635 
4636 static void
make_error(png_store * const ps,png_byte const colour_type,png_byte bit_depth,int interlace_type,int test,png_const_charp name)4637 make_error(png_store* const ps, png_byte const colour_type,
4638     png_byte bit_depth, int interlace_type, int test, png_const_charp name)
4639 {
4640    context(ps, fault);
4641 
4642    check_interlace_type(interlace_type);
4643 
4644    Try
4645    {
4646       png_infop pi;
4647       const png_structp pp = set_store_for_write(ps, &pi, name);
4648       png_uint_32 w, h;
4649       gnu_volatile(pp)
4650 
4651       if (pp == NULL)
4652          Throw ps;
4653 
4654       w = transform_width(pp, colour_type, bit_depth);
4655       gnu_volatile(w)
4656       h = transform_height(pp, colour_type, bit_depth);
4657       gnu_volatile(h)
4658       png_set_IHDR(pp, pi, w, h, bit_depth, colour_type, interlace_type,
4659             PNG_COMPRESSION_TYPE_BASE, PNG_FILTER_TYPE_BASE);
4660 
4661       if (colour_type == 3) /* palette */
4662          init_standard_palette(ps, pp, pi, 1U << bit_depth, 0/*do tRNS*/);
4663 
4664       /* Time for a few errors; these are in various optional chunks, the
4665        * standard tests test the standard chunks pretty well.
4666        */
4667 #     define exception__prev exception_prev_1
4668 #     define exception__env exception_env_1
4669       Try
4670       {
4671          gnu_volatile(exception__prev)
4672 
4673          /* Expect this to throw: */
4674          ps->expect_error = !error_test[test].warning;
4675          ps->expect_warning = error_test[test].warning;
4676          ps->saw_warning = 0;
4677          error_test[test].fn(pp, pi);
4678 
4679          /* Normally the error is only detected here: */
4680          png_write_info(pp, pi);
4681 
4682          /* And handle the case where it was only a warning: */
4683          if (ps->expect_warning && ps->saw_warning)
4684             Throw ps;
4685 
4686          /* If we get here there is a problem, we have success - no error or
4687           * no warning - when we shouldn't have success.  Log an error.
4688           */
4689          store_log(ps, pp, error_test[test].msg, 1 /*error*/);
4690       }
4691 
4692       Catch (fault)
4693       { /* expected exit */
4694       }
4695 #undef exception__prev
4696 #undef exception__env
4697 
4698       /* And clear these flags */
4699       ps->expect_warning = 0;
4700 
4701       if (ps->expect_error)
4702          ps->expect_error = 0;
4703 
4704       else
4705       {
4706          /* Now write the whole image, just to make sure that the detected, or
4707           * undetected, errro has not created problems inside libpng.  This
4708           * doesn't work if there was a png_error in png_write_info because that
4709           * can abort before PLTE was written.
4710           */
4711          if (png_get_rowbytes(pp, pi) !=
4712              transform_rowsize(pp, colour_type, bit_depth))
4713             png_error(pp, "row size incorrect");
4714 
4715          else
4716          {
4717             int npasses = set_write_interlace_handling(pp, interlace_type);
4718             int pass;
4719 
4720             if (npasses != npasses_from_interlace_type(pp, interlace_type))
4721                png_error(pp, "write: png_set_interlace_handling failed");
4722 
4723             for (pass=0; pass<npasses; ++pass)
4724             {
4725                png_uint_32 y;
4726 
4727                for (y=0; y<h; ++y)
4728                {
4729                   png_byte buffer[TRANSFORM_ROWMAX];
4730 
4731                   transform_row(pp, buffer, colour_type, bit_depth, y);
4732 
4733 #                 if do_own_interlace
4734                      /* If do_own_interlace *and* the image is interlaced we
4735                       * need a reduced interlace row; this may be reduced to
4736                       * empty.
4737                       */
4738                      if (interlace_type == PNG_INTERLACE_ADAM7)
4739                      {
4740                         /* The row must not be written if it doesn't exist,
4741                          * notice that there are two conditions here, either the
4742                          * row isn't ever in the pass or the row would be but
4743                          * isn't wide enough to contribute any pixels.  In fact
4744                          * the wPass test can be used to skip the whole y loop
4745                          * in this case.
4746                          */
4747                         if (PNG_ROW_IN_INTERLACE_PASS(y, pass) &&
4748                             PNG_PASS_COLS(w, pass) > 0)
4749                            interlace_row(buffer, buffer,
4750                                  bit_size(pp, colour_type, bit_depth), w, pass,
4751                                  0/*data always bigendian*/);
4752                         else
4753                            continue;
4754                      }
4755 #                 endif /* do_own_interlace */
4756 
4757                   png_write_row(pp, buffer);
4758                }
4759             }
4760          } /* image writing */
4761 
4762          png_write_end(pp, pi);
4763       }
4764 
4765       /* The following deletes the file that was just written. */
4766       store_write_reset(ps);
4767    }
4768 
4769    Catch(fault)
4770    {
4771       store_write_reset(fault);
4772    }
4773 }
4774 
4775 static int
make_errors(png_modifier * const pm,png_byte const colour_type,int bdlo,int const bdhi)4776 make_errors(png_modifier* const pm, png_byte const colour_type,
4777     int bdlo, int const bdhi)
4778 {
4779    for (; bdlo <= bdhi; ++bdlo)
4780    {
4781       int interlace_type;
4782 
4783       for (interlace_type = PNG_INTERLACE_NONE;
4784            interlace_type < INTERLACE_LAST; ++interlace_type)
4785       {
4786          unsigned int test;
4787          char name[FILE_NAME_SIZE];
4788 
4789          standard_name(name, sizeof name, 0, colour_type, 1<<bdlo, 0,
4790             interlace_type, 0, 0, do_own_interlace);
4791 
4792          for (test=0; test<ARRAY_SIZE(error_test); ++test)
4793          {
4794             make_error(&pm->this, colour_type, DEPTH(bdlo), interlace_type,
4795                test, name);
4796 
4797             if (fail(pm))
4798                return 0;
4799          }
4800       }
4801    }
4802 
4803    return 1; /* keep going */
4804 }
4805 #endif /* PNG_WARNINGS_SUPPORTED */
4806 
4807 static void
perform_error_test(png_modifier * pm)4808 perform_error_test(png_modifier *pm)
4809 {
4810 #ifdef PNG_WARNINGS_SUPPORTED /* else there are no cases that work! */
4811    /* Need to do this here because we just write in this test. */
4812    safecat(pm->this.test, sizeof pm->this.test, 0, "error test");
4813 
4814    if (!make_errors(pm, 0, 0, WRITE_BDHI))
4815       return;
4816 
4817    if (!make_errors(pm, 2, 3, WRITE_BDHI))
4818       return;
4819 
4820    if (!make_errors(pm, 3, 0, 3))
4821       return;
4822 
4823    if (!make_errors(pm, 4, 3, WRITE_BDHI))
4824       return;
4825 
4826    if (!make_errors(pm, 6, 3, WRITE_BDHI))
4827       return;
4828 #else
4829    UNUSED(pm)
4830 #endif
4831 }
4832 
4833 /* This is just to validate the internal PNG formatting code - if this fails
4834  * then the warning messages the library outputs will probably be garbage.
4835  */
4836 static void
perform_formatting_test(png_store * ps)4837 perform_formatting_test(png_store *ps)
4838 {
4839 #ifdef PNG_TIME_RFC1123_SUPPORTED
4840    /* The handle into the formatting code is the RFC1123 support; this test does
4841     * nothing if that is compiled out.
4842     */
4843    context(ps, fault);
4844 
4845    Try
4846    {
4847       png_const_charp correct = "29 Aug 2079 13:53:60 +0000";
4848       png_const_charp result;
4849 #     if PNG_LIBPNG_VER >= 10600
4850          char timestring[29];
4851 #     endif
4852       png_structp pp;
4853       png_time pt;
4854 
4855       pp = set_store_for_write(ps, NULL, "libpng formatting test");
4856 
4857       if (pp == NULL)
4858          Throw ps;
4859 
4860 
4861       /* Arbitrary settings: */
4862       pt.year = 2079;
4863       pt.month = 8;
4864       pt.day = 29;
4865       pt.hour = 13;
4866       pt.minute = 53;
4867       pt.second = 60; /* a leap second */
4868 
4869 #     if PNG_LIBPNG_VER < 10600
4870          result = png_convert_to_rfc1123(pp, &pt);
4871 #     else
4872          if (png_convert_to_rfc1123_buffer(timestring, &pt))
4873             result = timestring;
4874 
4875          else
4876             result = NULL;
4877 #     endif
4878 
4879       if (result == NULL)
4880          png_error(pp, "png_convert_to_rfc1123 failed");
4881 
4882       if (strcmp(result, correct) != 0)
4883       {
4884          size_t pos = 0;
4885          char msg[128];
4886 
4887          pos = safecat(msg, sizeof msg, pos, "png_convert_to_rfc1123(");
4888          pos = safecat(msg, sizeof msg, pos, correct);
4889          pos = safecat(msg, sizeof msg, pos, ") returned: '");
4890          pos = safecat(msg, sizeof msg, pos, result);
4891          pos = safecat(msg, sizeof msg, pos, "'");
4892 
4893          png_error(pp, msg);
4894       }
4895 
4896       store_write_reset(ps);
4897    }
4898 
4899    Catch(fault)
4900    {
4901       store_write_reset(fault);
4902    }
4903 #else
4904    UNUSED(ps)
4905 #endif
4906 }
4907 
4908 #ifdef PNG_READ_SUPPORTED
4909 /* Because we want to use the same code in both the progressive reader and the
4910  * sequential reader it is necessary to deal with the fact that the progressive
4911  * reader callbacks only have one parameter (png_get_progressive_ptr()), so this
4912  * must contain all the test parameters and all the local variables directly
4913  * accessible to the sequential reader implementation.
4914  *
4915  * The technique adopted is to reinvent part of what Dijkstra termed a
4916  * 'display'; an array of pointers to the stack frames of enclosing functions so
4917  * that a nested function definition can access the local (C auto) variables of
4918  * the functions that contain its definition.  In fact C provides the first
4919  * pointer (the local variables - the stack frame pointer) and the last (the
4920  * global variables - the BCPL global vector typically implemented as global
4921  * addresses), this code requires one more pointer to make the display - the
4922  * local variables (and function call parameters) of the function that actually
4923  * invokes either the progressive or sequential reader.
4924  *
4925  * Perhaps confusingly this technique is confounded with classes - the
4926  * 'standard_display' defined here is sub-classed as the 'gamma_display' below.
4927  * A gamma_display is a standard_display, taking advantage of the ANSI-C
4928  * requirement that the pointer to the first member of a structure must be the
4929  * same as the pointer to the structure.  This allows us to reuse standard_
4930  * functions in the gamma test code; something that could not be done with
4931  * nested functions!
4932  */
4933 typedef struct standard_display
4934 {
4935    png_store*  ps;             /* Test parameters (passed to the function) */
4936    png_byte    colour_type;
4937    png_byte    bit_depth;
4938    png_byte    red_sBIT;       /* Input data sBIT values. */
4939    png_byte    green_sBIT;
4940    png_byte    blue_sBIT;
4941    png_byte    alpha_sBIT;
4942    png_byte    interlace_type;
4943    png_byte    filler;         /* Output has a filler */
4944    png_uint_32 id;             /* Calculated file ID */
4945    png_uint_32 w;              /* Width of image */
4946    png_uint_32 h;              /* Height of image */
4947    int         npasses;        /* Number of interlaced passes */
4948    png_uint_32 pixel_size;     /* Width of one pixel in bits */
4949    png_uint_32 bit_width;      /* Width of output row in bits */
4950    size_t      cbRow;          /* Bytes in a row of the output image */
4951    int         do_interlace;   /* Do interlacing internally */
4952    int         littleendian;   /* App (row) data is little endian */
4953    int         is_transparent; /* Transparency information was present. */
4954    int         has_tRNS;       /* color type GRAY or RGB with a tRNS chunk. */
4955    int         speed;          /* Doing a speed test */
4956    int         use_update_info;/* Call update_info, not start_image */
4957    struct
4958    {
4959       png_uint_16 red;
4960       png_uint_16 green;
4961       png_uint_16 blue;
4962    }           transparent;    /* The transparent color, if set. */
4963    int         npalette;       /* Number of entries in the palette. */
4964    store_palette
4965                palette;
4966 } standard_display;
4967 
4968 static void
standard_display_init(standard_display * dp,png_store * ps,png_uint_32 id,int do_interlace,int use_update_info)4969 standard_display_init(standard_display *dp, png_store* ps, png_uint_32 id,
4970    int do_interlace, int use_update_info)
4971 {
4972    memset(dp, 0, sizeof *dp);
4973 
4974    dp->ps = ps;
4975    dp->colour_type = COL_FROM_ID(id);
4976    dp->bit_depth = DEPTH_FROM_ID(id);
4977    if (dp->bit_depth < 1 || dp->bit_depth > 16)
4978       internal_error(ps, "internal: bad bit depth");
4979    if (dp->colour_type == 3)
4980       dp->red_sBIT = dp->blue_sBIT = dp->green_sBIT = dp->alpha_sBIT = 8;
4981    else
4982       dp->red_sBIT = dp->blue_sBIT = dp->green_sBIT = dp->alpha_sBIT =
4983          dp->bit_depth;
4984    dp->interlace_type = INTERLACE_FROM_ID(id);
4985    check_interlace_type(dp->interlace_type);
4986    dp->id = id;
4987    /* All the rest are filled in after the read_info: */
4988    dp->w = 0;
4989    dp->h = 0;
4990    dp->npasses = 0;
4991    dp->pixel_size = 0;
4992    dp->bit_width = 0;
4993    dp->cbRow = 0;
4994    dp->do_interlace = do_interlace;
4995    dp->littleendian = 0;
4996    dp->is_transparent = 0;
4997    dp->speed = ps->speed;
4998    dp->use_update_info = use_update_info;
4999    dp->npalette = 0;
5000    /* Preset the transparent color to black: */
5001    memset(&dp->transparent, 0, sizeof dp->transparent);
5002    /* Preset the palette to full intensity/opaque througout: */
5003    memset(dp->palette, 0xff, sizeof dp->palette);
5004 }
5005 
5006 /* Initialize the palette fields - this must be done later because the palette
5007  * comes from the particular png_store_file that is selected.
5008  */
5009 static void
standard_palette_init(standard_display * dp)5010 standard_palette_init(standard_display *dp)
5011 {
5012    store_palette_entry *palette = store_current_palette(dp->ps, &dp->npalette);
5013 
5014    /* The remaining entries remain white/opaque. */
5015    if (dp->npalette > 0)
5016    {
5017       int i = dp->npalette;
5018       memcpy(dp->palette, palette, i * sizeof *palette);
5019 
5020       /* Check for a non-opaque palette entry: */
5021       while (--i >= 0)
5022          if (palette[i].alpha < 255)
5023             break;
5024 
5025 #     ifdef __GNUC__
5026          /* GCC can't handle the more obviously optimizable version. */
5027          if (i >= 0)
5028             dp->is_transparent = 1;
5029          else
5030             dp->is_transparent = 0;
5031 #     else
5032          dp->is_transparent = (i >= 0);
5033 #     endif
5034    }
5035 }
5036 
5037 /* Utility to read the palette from the PNG file and convert it into
5038  * store_palette format.  This returns 1 if there is any transparency in the
5039  * palette (it does not check for a transparent colour in the non-palette case.)
5040  */
5041 static int
read_palette(store_palette palette,int * npalette,png_const_structp pp,png_infop pi)5042 read_palette(store_palette palette, int *npalette, png_const_structp pp,
5043    png_infop pi)
5044 {
5045    png_colorp pal;
5046    png_bytep trans_alpha;
5047    int num;
5048 
5049    pal = 0;
5050    *npalette = -1;
5051 
5052    if (png_get_PLTE(pp, pi, &pal, npalette) & PNG_INFO_PLTE)
5053    {
5054       int i = *npalette;
5055 
5056       if (i <= 0 || i > 256)
5057          png_error(pp, "validate: invalid PLTE count");
5058 
5059       while (--i >= 0)
5060       {
5061          palette[i].red = pal[i].red;
5062          palette[i].green = pal[i].green;
5063          palette[i].blue = pal[i].blue;
5064       }
5065 
5066       /* Mark the remainder of the entries with a flag value (other than
5067        * white/opaque which is the flag value stored above.)
5068        */
5069       memset(palette + *npalette, 126, (256-*npalette) * sizeof *palette);
5070    }
5071 
5072    else /* !png_get_PLTE */
5073    {
5074       if (*npalette != (-1))
5075          png_error(pp, "validate: invalid PLTE result");
5076       /* But there is no palette, so record this: */
5077       *npalette = 0;
5078       memset(palette, 113, sizeof (store_palette));
5079    }
5080 
5081    trans_alpha = 0;
5082    num = 2; /* force error below */
5083    if ((png_get_tRNS(pp, pi, &trans_alpha, &num, 0) & PNG_INFO_tRNS) != 0 &&
5084       (trans_alpha != NULL || num != 1/*returns 1 for a transparent color*/) &&
5085       /* Oops, if a palette tRNS gets expanded png_read_update_info (at least so
5086        * far as 1.5.4) does not remove the trans_alpha pointer, only num_trans,
5087        * so in the above call we get a success, we get a pointer (who knows what
5088        * to) and we get num_trans == 0:
5089        */
5090       !(trans_alpha != NULL && num == 0)) /* TODO: fix this in libpng. */
5091    {
5092       int i;
5093 
5094       /* Any of these are crash-worthy - given the implementation of
5095        * png_get_tRNS up to 1.5 an app won't crash if it just checks the
5096        * result above and fails to check that the variables it passed have
5097        * actually been filled in!  Note that if the app were to pass the
5098        * last, png_color_16p, variable too it couldn't rely on this.
5099        */
5100       if (trans_alpha == NULL || num <= 0 || num > 256 || num > *npalette)
5101          png_error(pp, "validate: unexpected png_get_tRNS (palette) result");
5102 
5103       for (i=0; i<num; ++i)
5104          palette[i].alpha = trans_alpha[i];
5105 
5106       for (num=*npalette; i<num; ++i)
5107          palette[i].alpha = 255;
5108 
5109       for (; i<256; ++i)
5110          palette[i].alpha = 33; /* flag value */
5111 
5112       return 1; /* transparency */
5113    }
5114 
5115    else
5116    {
5117       /* No palette transparency - just set the alpha channel to opaque. */
5118       int i;
5119 
5120       for (i=0, num=*npalette; i<num; ++i)
5121          palette[i].alpha = 255;
5122 
5123       for (; i<256; ++i)
5124          palette[i].alpha = 55; /* flag value */
5125 
5126       return 0; /* no transparency */
5127    }
5128 }
5129 
5130 /* Utility to validate the palette if it should not have changed (the
5131  * non-transform case).
5132  */
5133 static void
standard_palette_validate(standard_display * dp,png_const_structp pp,png_infop pi)5134 standard_palette_validate(standard_display *dp, png_const_structp pp,
5135    png_infop pi)
5136 {
5137    int npalette;
5138    store_palette palette;
5139 
5140    if (read_palette(palette, &npalette, pp, pi) != dp->is_transparent)
5141       png_error(pp, "validate: palette transparency changed");
5142 
5143    if (npalette != dp->npalette)
5144    {
5145       size_t pos = 0;
5146       char msg[64];
5147 
5148       pos = safecat(msg, sizeof msg, pos, "validate: palette size changed: ");
5149       pos = safecatn(msg, sizeof msg, pos, dp->npalette);
5150       pos = safecat(msg, sizeof msg, pos, " -> ");
5151       pos = safecatn(msg, sizeof msg, pos, npalette);
5152       png_error(pp, msg);
5153    }
5154 
5155    {
5156       int i = npalette; /* npalette is aliased */
5157 
5158       while (--i >= 0)
5159          if (palette[i].red != dp->palette[i].red ||
5160             palette[i].green != dp->palette[i].green ||
5161             palette[i].blue != dp->palette[i].blue ||
5162             palette[i].alpha != dp->palette[i].alpha)
5163             png_error(pp, "validate: PLTE or tRNS chunk changed");
5164    }
5165 }
5166 
5167 /* By passing a 'standard_display' the progressive callbacks can be used
5168  * directly by the sequential code, the functions suffixed "_imp" are the
5169  * implementations, the functions without the suffix are the callbacks.
5170  *
5171  * The code for the info callback is split into two because this callback calls
5172  * png_read_update_info or png_start_read_image and what gets called depends on
5173  * whether the info needs updating (we want to test both calls in pngvalid.)
5174  */
5175 static void
standard_info_part1(standard_display * dp,png_structp pp,png_infop pi)5176 standard_info_part1(standard_display *dp, png_structp pp, png_infop pi)
5177 {
5178    if (png_get_bit_depth(pp, pi) != dp->bit_depth)
5179       png_error(pp, "validate: bit depth changed");
5180 
5181    if (png_get_color_type(pp, pi) != dp->colour_type)
5182       png_error(pp, "validate: color type changed");
5183 
5184    if (png_get_filter_type(pp, pi) != PNG_FILTER_TYPE_BASE)
5185       png_error(pp, "validate: filter type changed");
5186 
5187    if (png_get_interlace_type(pp, pi) != dp->interlace_type)
5188       png_error(pp, "validate: interlacing changed");
5189 
5190    if (png_get_compression_type(pp, pi) != PNG_COMPRESSION_TYPE_BASE)
5191       png_error(pp, "validate: compression type changed");
5192 
5193    dp->w = png_get_image_width(pp, pi);
5194 
5195    if (dp->w != standard_width(pp, dp->id))
5196       png_error(pp, "validate: image width changed");
5197 
5198    dp->h = png_get_image_height(pp, pi);
5199 
5200    if (dp->h != standard_height(pp, dp->id))
5201       png_error(pp, "validate: image height changed");
5202 
5203    /* Record (but don't check at present) the input sBIT according to the colour
5204     * type information.
5205     */
5206    {
5207       png_color_8p sBIT = 0;
5208 
5209       if (png_get_sBIT(pp, pi, &sBIT) & PNG_INFO_sBIT)
5210       {
5211          int sBIT_invalid = 0;
5212 
5213          if (sBIT == 0)
5214             png_error(pp, "validate: unexpected png_get_sBIT result");
5215 
5216          if (dp->colour_type & PNG_COLOR_MASK_COLOR)
5217          {
5218             if (sBIT->red == 0 || sBIT->red > dp->bit_depth)
5219                sBIT_invalid = 1;
5220             else
5221                dp->red_sBIT = sBIT->red;
5222 
5223             if (sBIT->green == 0 || sBIT->green > dp->bit_depth)
5224                sBIT_invalid = 1;
5225             else
5226                dp->green_sBIT = sBIT->green;
5227 
5228             if (sBIT->blue == 0 || sBIT->blue > dp->bit_depth)
5229                sBIT_invalid = 1;
5230             else
5231                dp->blue_sBIT = sBIT->blue;
5232          }
5233 
5234          else /* !COLOR */
5235          {
5236             if (sBIT->gray == 0 || sBIT->gray > dp->bit_depth)
5237                sBIT_invalid = 1;
5238             else
5239                dp->blue_sBIT = dp->green_sBIT = dp->red_sBIT = sBIT->gray;
5240          }
5241 
5242          /* All 8 bits in tRNS for a palette image are significant - see the
5243           * spec.
5244           */
5245          if (dp->colour_type & PNG_COLOR_MASK_ALPHA)
5246          {
5247             if (sBIT->alpha == 0 || sBIT->alpha > dp->bit_depth)
5248                sBIT_invalid = 1;
5249             else
5250                dp->alpha_sBIT = sBIT->alpha;
5251          }
5252 
5253          if (sBIT_invalid)
5254             png_error(pp, "validate: sBIT value out of range");
5255       }
5256    }
5257 
5258    /* Important: this is validating the value *before* any transforms have been
5259     * put in place.  It doesn't matter for the standard tests, where there are
5260     * no transforms, but it does for other tests where rowbytes may change after
5261     * png_read_update_info.
5262     */
5263    if (png_get_rowbytes(pp, pi) != standard_rowsize(pp, dp->id))
5264       png_error(pp, "validate: row size changed");
5265 
5266    /* Validate the colour type 3 palette (this can be present on other color
5267     * types.)
5268     */
5269    standard_palette_validate(dp, pp, pi);
5270 
5271    /* In any case always check for a tranparent color (notice that the
5272     * colour type 3 case must not give a successful return on the get_tRNS call
5273     * with these arguments!)
5274     */
5275    {
5276       png_color_16p trans_color = 0;
5277 
5278       if (png_get_tRNS(pp, pi, 0, 0, &trans_color) & PNG_INFO_tRNS)
5279       {
5280          if (trans_color == 0)
5281             png_error(pp, "validate: unexpected png_get_tRNS (color) result");
5282 
5283          switch (dp->colour_type)
5284          {
5285          case 0:
5286             dp->transparent.red = dp->transparent.green = dp->transparent.blue =
5287                trans_color->gray;
5288             dp->has_tRNS = 1;
5289             break;
5290 
5291          case 2:
5292             dp->transparent.red = trans_color->red;
5293             dp->transparent.green = trans_color->green;
5294             dp->transparent.blue = trans_color->blue;
5295             dp->has_tRNS = 1;
5296             break;
5297 
5298          case 3:
5299             /* Not expected because it should result in the array case
5300              * above.
5301              */
5302             png_error(pp, "validate: unexpected png_get_tRNS result");
5303             break;
5304 
5305          default:
5306             png_error(pp, "validate: invalid tRNS chunk with alpha image");
5307          }
5308       }
5309    }
5310 
5311    /* Read the number of passes - expected to match the value used when
5312     * creating the image (interlaced or not).  This has the side effect of
5313     * turning on interlace handling (if do_interlace is not set.)
5314     */
5315    dp->npasses = npasses_from_interlace_type(pp, dp->interlace_type);
5316    if (!dp->do_interlace)
5317    {
5318 #     ifdef PNG_READ_INTERLACING_SUPPORTED
5319          if (dp->npasses != png_set_interlace_handling(pp))
5320             png_error(pp, "validate: file changed interlace type");
5321 #     else /* !READ_INTERLACING */
5322          /* This should never happen: the relevant tests (!do_interlace) should
5323           * not be run.
5324           */
5325          if (dp->npasses > 1)
5326             png_error(pp, "validate: no libpng interlace support");
5327 #     endif /* !READ_INTERLACING */
5328    }
5329 
5330    /* Caller calls png_read_update_info or png_start_read_image now, then calls
5331     * part2.
5332     */
5333 }
5334 
5335 /* This must be called *after* the png_read_update_info call to get the correct
5336  * 'rowbytes' value, otherwise png_get_rowbytes will refer to the untransformed
5337  * image.
5338  */
5339 static void
standard_info_part2(standard_display * dp,png_const_structp pp,png_const_infop pi,int nImages)5340 standard_info_part2(standard_display *dp, png_const_structp pp,
5341     png_const_infop pi, int nImages)
5342 {
5343    /* Record cbRow now that it can be found. */
5344    {
5345       png_byte ct = png_get_color_type(pp, pi);
5346       png_byte bd = png_get_bit_depth(pp, pi);
5347 
5348       if (bd >= 8 && (ct == PNG_COLOR_TYPE_RGB || ct == PNG_COLOR_TYPE_GRAY) &&
5349           dp->filler)
5350           ct |= 4; /* handle filler as faked alpha channel */
5351 
5352       dp->pixel_size = bit_size(pp, ct, bd);
5353    }
5354    dp->bit_width = png_get_image_width(pp, pi) * dp->pixel_size;
5355    dp->cbRow = png_get_rowbytes(pp, pi);
5356 
5357    /* Validate the rowbytes here again. */
5358    if (dp->cbRow != (dp->bit_width+7)/8)
5359       png_error(pp, "bad png_get_rowbytes calculation");
5360 
5361    /* Then ensure there is enough space for the output image(s). */
5362    store_ensure_image(dp->ps, pp, nImages, dp->cbRow, dp->h);
5363 }
5364 
5365 static void
standard_info_imp(standard_display * dp,png_structp pp,png_infop pi,int nImages)5366 standard_info_imp(standard_display *dp, png_structp pp, png_infop pi,
5367     int nImages)
5368 {
5369    /* Note that the validation routine has the side effect of turning on
5370     * interlace handling in the subsequent code.
5371     */
5372    standard_info_part1(dp, pp, pi);
5373 
5374    /* And the info callback has to call this (or png_read_update_info - see
5375     * below in the png_modifier code for that variant.
5376     */
5377    if (dp->use_update_info)
5378    {
5379       /* For debugging the effect of multiple calls: */
5380       int i = dp->use_update_info;
5381       while (i-- > 0)
5382          png_read_update_info(pp, pi);
5383    }
5384 
5385    else
5386       png_start_read_image(pp);
5387 
5388    /* Validate the height, width and rowbytes plus ensure that sufficient buffer
5389     * exists for decoding the image.
5390     */
5391    standard_info_part2(dp, pp, pi, nImages);
5392 }
5393 
5394 static void PNGCBAPI
standard_info(png_structp pp,png_infop pi)5395 standard_info(png_structp pp, png_infop pi)
5396 {
5397    standard_display *dp = voidcast(standard_display*,
5398       png_get_progressive_ptr(pp));
5399 
5400    /* Call with nImages==1 because the progressive reader can only produce one
5401     * image.
5402     */
5403    standard_info_imp(dp, pp, pi, 1 /*only one image*/);
5404 }
5405 
5406 static void PNGCBAPI
progressive_row(png_structp ppIn,png_bytep new_row,png_uint_32 y,int pass)5407 progressive_row(png_structp ppIn, png_bytep new_row, png_uint_32 y, int pass)
5408 {
5409    png_const_structp pp = ppIn;
5410    const standard_display *dp = voidcast(standard_display*,
5411       png_get_progressive_ptr(pp));
5412 
5413    /* When handling interlacing some rows will be absent in each pass, the
5414     * callback still gets called, but with a NULL pointer.  This is checked
5415     * in the 'else' clause below.  We need our own 'cbRow', but we can't call
5416     * png_get_rowbytes because we got no info structure.
5417     */
5418    if (new_row != NULL)
5419    {
5420       png_bytep row;
5421 
5422       /* In the case where the reader doesn't do the interlace it gives
5423        * us the y in the sub-image:
5424        */
5425       if (dp->do_interlace && dp->interlace_type == PNG_INTERLACE_ADAM7)
5426       {
5427 #ifdef PNG_USER_TRANSFORM_INFO_SUPPORTED
5428          /* Use this opportunity to validate the png 'current' APIs: */
5429          if (y != png_get_current_row_number(pp))
5430             png_error(pp, "png_get_current_row_number is broken");
5431 
5432          if (pass != png_get_current_pass_number(pp))
5433             png_error(pp, "png_get_current_pass_number is broken");
5434 #endif /* USER_TRANSFORM_INFO */
5435 
5436          y = PNG_ROW_FROM_PASS_ROW(y, pass);
5437       }
5438 
5439       /* Validate this just in case. */
5440       if (y >= dp->h)
5441          png_error(pp, "invalid y to progressive row callback");
5442 
5443       row = store_image_row(dp->ps, pp, 0, y);
5444 
5445       /* Combine the new row into the old: */
5446 #ifdef PNG_READ_INTERLACING_SUPPORTED
5447       if (dp->do_interlace)
5448 #endif /* READ_INTERLACING */
5449       {
5450          if (dp->interlace_type == PNG_INTERLACE_ADAM7)
5451             deinterlace_row(row, new_row, dp->pixel_size, dp->w, pass,
5452                   dp->littleendian);
5453          else
5454             row_copy(row, new_row, dp->pixel_size * dp->w, dp->littleendian);
5455       }
5456 #ifdef PNG_READ_INTERLACING_SUPPORTED
5457       else
5458          png_progressive_combine_row(pp, row, new_row);
5459 #endif /* PNG_READ_INTERLACING_SUPPORTED */
5460    }
5461 
5462    else if (dp->interlace_type == PNG_INTERLACE_ADAM7 &&
5463        PNG_ROW_IN_INTERLACE_PASS(y, pass) &&
5464        PNG_PASS_COLS(dp->w, pass) > 0)
5465       png_error(pp, "missing row in progressive de-interlacing");
5466 }
5467 
5468 static void
sequential_row(standard_display * dp,png_structp pp,png_infop pi,const int iImage,const int iDisplay)5469 sequential_row(standard_display *dp, png_structp pp, png_infop pi,
5470     const int iImage, const int iDisplay)
5471 {
5472    const int         npasses = dp->npasses;
5473    const int         do_interlace = dp->do_interlace &&
5474       dp->interlace_type == PNG_INTERLACE_ADAM7;
5475    const png_uint_32 height = standard_height(pp, dp->id);
5476    const png_uint_32 width = standard_width(pp, dp->id);
5477    const png_store*  ps = dp->ps;
5478    int pass;
5479 
5480    for (pass=0; pass<npasses; ++pass)
5481    {
5482       png_uint_32 y;
5483       png_uint_32 wPass = PNG_PASS_COLS(width, pass);
5484 
5485       for (y=0; y<height; ++y)
5486       {
5487          if (do_interlace)
5488          {
5489             /* wPass may be zero or this row may not be in this pass.
5490              * png_read_row must not be called in either case.
5491              */
5492             if (wPass > 0 && PNG_ROW_IN_INTERLACE_PASS(y, pass))
5493             {
5494                /* Read the row into a pair of temporary buffers, then do the
5495                 * merge here into the output rows.
5496                 */
5497                png_byte row[STANDARD_ROWMAX], display[STANDARD_ROWMAX];
5498 
5499                /* The following aids (to some extent) error detection - we can
5500                 * see where png_read_row wrote.  Use opposite values in row and
5501                 * display to make this easier.  Don't use 0xff (which is used in
5502                 * the image write code to fill unused bits) or 0 (which is a
5503                 * likely value to overwrite unused bits with).
5504                 */
5505                memset(row, 0xc5, sizeof row);
5506                memset(display, 0x5c, sizeof display);
5507 
5508                png_read_row(pp, row, display);
5509 
5510                if (iImage >= 0)
5511                   deinterlace_row(store_image_row(ps, pp, iImage, y), row,
5512                      dp->pixel_size, dp->w, pass, dp->littleendian);
5513 
5514                if (iDisplay >= 0)
5515                   deinterlace_row(store_image_row(ps, pp, iDisplay, y), display,
5516                      dp->pixel_size, dp->w, pass, dp->littleendian);
5517             }
5518          }
5519          else
5520             png_read_row(pp,
5521                iImage >= 0 ? store_image_row(ps, pp, iImage, y) : NULL,
5522                iDisplay >= 0 ? store_image_row(ps, pp, iDisplay, y) : NULL);
5523       }
5524    }
5525 
5526    /* And finish the read operation (only really necessary if the caller wants
5527     * to find additional data in png_info from chunks after the last IDAT.)
5528     */
5529    png_read_end(pp, pi);
5530 }
5531 
5532 #ifdef PNG_TEXT_SUPPORTED
5533 static void
standard_check_text(png_const_structp pp,png_const_textp tp,png_const_charp keyword,png_const_charp text)5534 standard_check_text(png_const_structp pp, png_const_textp tp,
5535    png_const_charp keyword, png_const_charp text)
5536 {
5537    char msg[1024];
5538    size_t pos = safecat(msg, sizeof msg, 0, "text: ");
5539    size_t ok;
5540 
5541    pos = safecat(msg, sizeof msg, pos, keyword);
5542    pos = safecat(msg, sizeof msg, pos, ": ");
5543    ok = pos;
5544 
5545    if (tp->compression != TEXT_COMPRESSION)
5546    {
5547       char buf[64];
5548 
5549       sprintf(buf, "compression [%d->%d], ", TEXT_COMPRESSION,
5550          tp->compression);
5551       pos = safecat(msg, sizeof msg, pos, buf);
5552    }
5553 
5554    if (tp->key == NULL || strcmp(tp->key, keyword) != 0)
5555    {
5556       pos = safecat(msg, sizeof msg, pos, "keyword \"");
5557       if (tp->key != NULL)
5558       {
5559          pos = safecat(msg, sizeof msg, pos, tp->key);
5560          pos = safecat(msg, sizeof msg, pos, "\", ");
5561       }
5562 
5563       else
5564          pos = safecat(msg, sizeof msg, pos, "null, ");
5565    }
5566 
5567    if (tp->text == NULL)
5568       pos = safecat(msg, sizeof msg, pos, "text lost, ");
5569 
5570    else
5571    {
5572       if (tp->text_length != strlen(text))
5573       {
5574          char buf[64];
5575          sprintf(buf, "text length changed[%lu->%lu], ",
5576             (unsigned long)strlen(text), (unsigned long)tp->text_length);
5577          pos = safecat(msg, sizeof msg, pos, buf);
5578       }
5579 
5580       if (strcmp(tp->text, text) != 0)
5581       {
5582          pos = safecat(msg, sizeof msg, pos, "text becomes \"");
5583          pos = safecat(msg, sizeof msg, pos, tp->text);
5584          pos = safecat(msg, sizeof msg, pos, "\" (was \"");
5585          pos = safecat(msg, sizeof msg, pos, text);
5586          pos = safecat(msg, sizeof msg, pos, "\"), ");
5587       }
5588    }
5589 
5590    if (tp->itxt_length != 0)
5591       pos = safecat(msg, sizeof msg, pos, "iTXt length set, ");
5592 
5593    if (tp->lang != NULL)
5594    {
5595       pos = safecat(msg, sizeof msg, pos, "iTXt language \"");
5596       pos = safecat(msg, sizeof msg, pos, tp->lang);
5597       pos = safecat(msg, sizeof msg, pos, "\", ");
5598    }
5599 
5600    if (tp->lang_key != NULL)
5601    {
5602       pos = safecat(msg, sizeof msg, pos, "iTXt keyword \"");
5603       pos = safecat(msg, sizeof msg, pos, tp->lang_key);
5604       pos = safecat(msg, sizeof msg, pos, "\", ");
5605    }
5606 
5607    if (pos > ok)
5608    {
5609       msg[pos-2] = '\0'; /* Remove the ", " at the end */
5610       png_error(pp, msg);
5611    }
5612 }
5613 
5614 static void
standard_text_validate(standard_display * dp,png_const_structp pp,png_infop pi,int check_end)5615 standard_text_validate(standard_display *dp, png_const_structp pp,
5616    png_infop pi, int check_end)
5617 {
5618    png_textp tp = NULL;
5619    png_uint_32 num_text = png_get_text(pp, pi, &tp, NULL);
5620 
5621    if (num_text == 2 && tp != NULL)
5622    {
5623       standard_check_text(pp, tp, "image name", dp->ps->current->name);
5624 
5625       /* This exists because prior to 1.5.18 the progressive reader left the
5626        * png_struct z_stream unreset at the end of the image, so subsequent
5627        * attempts to use it simply returns Z_STREAM_END.
5628        */
5629       if (check_end)
5630          standard_check_text(pp, tp+1, "end marker", "end");
5631    }
5632 
5633    else
5634    {
5635       char msg[64];
5636 
5637       sprintf(msg, "expected two text items, got %lu",
5638          (unsigned long)num_text);
5639       png_error(pp, msg);
5640    }
5641 }
5642 #else
5643 #  define standard_text_validate(dp,pp,pi,check_end) ((void)0)
5644 #endif
5645 
5646 static void
standard_row_validate(standard_display * dp,png_const_structp pp,int iImage,int iDisplay,png_uint_32 y)5647 standard_row_validate(standard_display *dp, png_const_structp pp,
5648    int iImage, int iDisplay, png_uint_32 y)
5649 {
5650    int where;
5651    png_byte std[STANDARD_ROWMAX];
5652 
5653    /* The row must be pre-initialized to the magic number here for the size
5654     * tests to pass:
5655     */
5656    memset(std, 178, sizeof std);
5657    standard_row(pp, std, dp->id, y);
5658 
5659    /* At the end both the 'row' and 'display' arrays should end up identical.
5660     * In earlier passes 'row' will be partially filled in, with only the pixels
5661     * that have been read so far, but 'display' will have those pixels
5662     * replicated to fill the unread pixels while reading an interlaced image.
5663     */
5664    if (iImage >= 0 &&
5665       (where = pixel_cmp(std, store_image_row(dp->ps, pp, iImage, y),
5666             dp->bit_width)) != 0)
5667    {
5668       char msg[64];
5669       sprintf(msg, "PNG image row[%lu][%d] changed from %.2x to %.2x",
5670          (unsigned long)y, where-1, std[where-1],
5671          store_image_row(dp->ps, pp, iImage, y)[where-1]);
5672       png_error(pp, msg);
5673    }
5674 
5675    if (iDisplay >= 0 &&
5676       (where = pixel_cmp(std, store_image_row(dp->ps, pp, iDisplay, y),
5677          dp->bit_width)) != 0)
5678    {
5679       char msg[64];
5680       sprintf(msg, "display row[%lu][%d] changed from %.2x to %.2x",
5681          (unsigned long)y, where-1, std[where-1],
5682          store_image_row(dp->ps, pp, iDisplay, y)[where-1]);
5683       png_error(pp, msg);
5684    }
5685 }
5686 
5687 static void
standard_image_validate(standard_display * dp,png_const_structp pp,int iImage,int iDisplay)5688 standard_image_validate(standard_display *dp, png_const_structp pp, int iImage,
5689     int iDisplay)
5690 {
5691    png_uint_32 y;
5692 
5693    if (iImage >= 0)
5694       store_image_check(dp->ps, pp, iImage);
5695 
5696    if (iDisplay >= 0)
5697       store_image_check(dp->ps, pp, iDisplay);
5698 
5699    for (y=0; y<dp->h; ++y)
5700       standard_row_validate(dp, pp, iImage, iDisplay, y);
5701 
5702    /* This avoids false positives if the validation code is never called! */
5703    dp->ps->validated = 1;
5704 }
5705 
5706 static void PNGCBAPI
standard_end(png_structp ppIn,png_infop pi)5707 standard_end(png_structp ppIn, png_infop pi)
5708 {
5709    png_const_structp pp = ppIn;
5710    standard_display *dp = voidcast(standard_display*,
5711       png_get_progressive_ptr(pp));
5712 
5713    UNUSED(pi)
5714 
5715    /* Validate the image - progressive reading only produces one variant for
5716     * interlaced images.
5717     */
5718    standard_text_validate(dp, pp, pi,
5719       PNG_LIBPNG_VER >= 10518/*check_end: see comments above*/);
5720    standard_image_validate(dp, pp, 0, -1);
5721 }
5722 
5723 /* A single test run checking the standard image to ensure it is not damaged. */
5724 static void
standard_test(png_store * const psIn,png_uint_32 const id,int do_interlace,int use_update_info)5725 standard_test(png_store* const psIn, png_uint_32 const id,
5726    int do_interlace, int use_update_info)
5727 {
5728    standard_display d;
5729    context(psIn, fault);
5730 
5731    /* Set up the display (stack frame) variables from the arguments to the
5732     * function and initialize the locals that are filled in later.
5733     */
5734    standard_display_init(&d, psIn, id, do_interlace, use_update_info);
5735 
5736    /* Everything is protected by a Try/Catch.  The functions called also
5737     * typically have local Try/Catch blocks.
5738     */
5739    Try
5740    {
5741       png_structp pp;
5742       png_infop pi;
5743 
5744       /* Get a png_struct for reading the image. This will throw an error if it
5745        * fails, so we don't need to check the result.
5746        */
5747       pp = set_store_for_read(d.ps, &pi, d.id,
5748          d.do_interlace ?  (d.ps->progressive ?
5749             "pngvalid progressive deinterlacer" :
5750             "pngvalid sequential deinterlacer") : (d.ps->progressive ?
5751                "progressive reader" : "sequential reader"));
5752 
5753       /* Initialize the palette correctly from the png_store_file. */
5754       standard_palette_init(&d);
5755 
5756       /* Introduce the correct read function. */
5757       if (d.ps->progressive)
5758       {
5759          png_set_progressive_read_fn(pp, &d, standard_info, progressive_row,
5760             standard_end);
5761 
5762          /* Now feed data into the reader until we reach the end: */
5763          store_progressive_read(d.ps, pp, pi);
5764       }
5765       else
5766       {
5767          /* Note that this takes the store, not the display. */
5768          png_set_read_fn(pp, d.ps, store_read);
5769 
5770          /* Check the header values: */
5771          png_read_info(pp, pi);
5772 
5773          /* The code tests both versions of the images that the sequential
5774           * reader can produce.
5775           */
5776          standard_info_imp(&d, pp, pi, 2 /*images*/);
5777 
5778          /* Need the total bytes in the image below; we can't get to this point
5779           * unless the PNG file values have been checked against the expected
5780           * values.
5781           */
5782          {
5783             sequential_row(&d, pp, pi, 0, 1);
5784 
5785             /* After the last pass loop over the rows again to check that the
5786              * image is correct.
5787              */
5788             if (!d.speed)
5789             {
5790                standard_text_validate(&d, pp, pi, 1/*check_end*/);
5791                standard_image_validate(&d, pp, 0, 1);
5792             }
5793             else
5794                d.ps->validated = 1;
5795          }
5796       }
5797 
5798       /* Check for validation. */
5799       if (!d.ps->validated)
5800          png_error(pp, "image read failed silently");
5801 
5802       /* Successful completion. */
5803    }
5804 
5805    Catch(fault)
5806       d.ps = fault; /* make sure this hasn't been clobbered. */
5807 
5808    /* In either case clean up the store. */
5809    store_read_reset(d.ps);
5810 }
5811 
5812 static int
test_standard(png_modifier * const pm,png_byte const colour_type,int bdlo,int const bdhi)5813 test_standard(png_modifier* const pm, png_byte const colour_type,
5814     int bdlo, int const bdhi)
5815 {
5816    for (; bdlo <= bdhi; ++bdlo)
5817    {
5818       int interlace_type;
5819 
5820       for (interlace_type = PNG_INTERLACE_NONE;
5821            interlace_type < INTERLACE_LAST; ++interlace_type)
5822       {
5823          standard_test(&pm->this, FILEID(colour_type, DEPTH(bdlo), 0/*palette*/,
5824             interlace_type, 0, 0, 0), do_read_interlace, pm->use_update_info);
5825 
5826          if (fail(pm))
5827             return 0;
5828       }
5829    }
5830 
5831    return 1; /* keep going */
5832 }
5833 
5834 static void
perform_standard_test(png_modifier * pm)5835 perform_standard_test(png_modifier *pm)
5836 {
5837    /* Test each colour type over the valid range of bit depths (expressed as
5838     * log2(bit_depth) in turn, stop as soon as any error is detected.
5839     */
5840    if (!test_standard(pm, 0, 0, READ_BDHI))
5841       return;
5842 
5843    if (!test_standard(pm, 2, 3, READ_BDHI))
5844       return;
5845 
5846    if (!test_standard(pm, 3, 0, 3))
5847       return;
5848 
5849    if (!test_standard(pm, 4, 3, READ_BDHI))
5850       return;
5851 
5852    if (!test_standard(pm, 6, 3, READ_BDHI))
5853       return;
5854 }
5855 
5856 
5857 /********************************** SIZE TESTS ********************************/
5858 static int
test_size(png_modifier * const pm,png_byte const colour_type,int bdlo,int const bdhi)5859 test_size(png_modifier* const pm, png_byte const colour_type,
5860     int bdlo, int const bdhi)
5861 {
5862    /* Run the tests on each combination.
5863     *
5864     * NOTE: on my 32 bit x86 each of the following blocks takes
5865     * a total of 3.5 seconds if done across every combo of bit depth
5866     * width and height.  This is a waste of time in practice, hence the
5867     * hinc and winc stuff:
5868     */
5869    static const png_byte hinc[] = {1, 3, 11, 1, 5};
5870    static const png_byte winc[] = {1, 9, 5, 7, 1};
5871    const int save_bdlo = bdlo;
5872 
5873    for (; bdlo <= bdhi; ++bdlo)
5874    {
5875       png_uint_32 h, w;
5876 
5877       for (h=1; h<=16; h+=hinc[bdlo]) for (w=1; w<=16; w+=winc[bdlo])
5878       {
5879          /* First test all the 'size' images against the sequential
5880           * reader using libpng to deinterlace (where required.)  This
5881           * validates the write side of libpng.  There are four possibilities
5882           * to validate.
5883           */
5884          standard_test(&pm->this, FILEID(colour_type, DEPTH(bdlo), 0/*palette*/,
5885             PNG_INTERLACE_NONE, w, h, 0), 0/*do_interlace*/,
5886             pm->use_update_info);
5887 
5888          if (fail(pm))
5889             return 0;
5890 
5891          standard_test(&pm->this, FILEID(colour_type, DEPTH(bdlo), 0/*palette*/,
5892             PNG_INTERLACE_NONE, w, h, 1), 0/*do_interlace*/,
5893             pm->use_update_info);
5894 
5895          if (fail(pm))
5896             return 0;
5897 
5898          /* Now validate the interlaced read side - do_interlace true,
5899           * in the progressive case this does actually make a difference
5900           * to the code used in the non-interlaced case too.
5901           */
5902          standard_test(&pm->this, FILEID(colour_type, DEPTH(bdlo), 0/*palette*/,
5903             PNG_INTERLACE_NONE, w, h, 0), 1/*do_interlace*/,
5904             pm->use_update_info);
5905 
5906          if (fail(pm))
5907             return 0;
5908 
5909 #     if CAN_WRITE_INTERLACE
5910          /* Validate the pngvalid code itself: */
5911          standard_test(&pm->this, FILEID(colour_type, DEPTH(bdlo), 0/*palette*/,
5912             PNG_INTERLACE_ADAM7, w, h, 1), 1/*do_interlace*/,
5913             pm->use_update_info);
5914 
5915          if (fail(pm))
5916             return 0;
5917 #     endif
5918       }
5919    }
5920 
5921    /* Now do the tests of libpng interlace handling, after we have made sure
5922     * that the pngvalid version works:
5923     */
5924    for (bdlo = save_bdlo; bdlo <= bdhi; ++bdlo)
5925    {
5926       png_uint_32 h, w;
5927 
5928       for (h=1; h<=16; h+=hinc[bdlo]) for (w=1; w<=16; w+=winc[bdlo])
5929       {
5930 #     ifdef PNG_READ_INTERLACING_SUPPORTED
5931          /* Test with pngvalid generated interlaced images first; we have
5932           * already verify these are ok (unless pngvalid has self-consistent
5933           * read/write errors, which is unlikely), so this detects errors in the
5934           * read side first:
5935           */
5936 #     if CAN_WRITE_INTERLACE
5937          standard_test(&pm->this, FILEID(colour_type, DEPTH(bdlo), 0/*palette*/,
5938             PNG_INTERLACE_ADAM7, w, h, 1), 0/*do_interlace*/,
5939             pm->use_update_info);
5940 
5941          if (fail(pm))
5942             return 0;
5943 #     endif
5944 #     endif /* READ_INTERLACING */
5945 
5946 #     ifdef PNG_WRITE_INTERLACING_SUPPORTED
5947          /* Test the libpng write side against the pngvalid read side: */
5948          standard_test(&pm->this, FILEID(colour_type, DEPTH(bdlo), 0/*palette*/,
5949             PNG_INTERLACE_ADAM7, w, h, 0), 1/*do_interlace*/,
5950             pm->use_update_info);
5951 
5952          if (fail(pm))
5953             return 0;
5954 #     endif
5955 
5956 #     ifdef PNG_READ_INTERLACING_SUPPORTED
5957 #     ifdef PNG_WRITE_INTERLACING_SUPPORTED
5958          /* Test both together: */
5959          standard_test(&pm->this, FILEID(colour_type, DEPTH(bdlo), 0/*palette*/,
5960             PNG_INTERLACE_ADAM7, w, h, 0), 0/*do_interlace*/,
5961             pm->use_update_info);
5962 
5963          if (fail(pm))
5964             return 0;
5965 #     endif
5966 #     endif /* READ_INTERLACING */
5967       }
5968    }
5969 
5970    return 1; /* keep going */
5971 }
5972 
5973 static void
perform_size_test(png_modifier * pm)5974 perform_size_test(png_modifier *pm)
5975 {
5976    /* Test each colour type over the valid range of bit depths (expressed as
5977     * log2(bit_depth) in turn, stop as soon as any error is detected.
5978     */
5979    if (!test_size(pm, 0, 0, READ_BDHI))
5980       return;
5981 
5982    if (!test_size(pm, 2, 3, READ_BDHI))
5983       return;
5984 
5985    /* For the moment don't do the palette test - it's a waste of time when
5986     * compared to the grayscale test.
5987     */
5988 #if 0
5989    if (!test_size(pm, 3, 0, 3))
5990       return;
5991 #endif
5992 
5993    if (!test_size(pm, 4, 3, READ_BDHI))
5994       return;
5995 
5996    if (!test_size(pm, 6, 3, READ_BDHI))
5997       return;
5998 }
5999 
6000 
6001 /******************************* TRANSFORM TESTS ******************************/
6002 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
6003 /* A set of tests to validate libpng image transforms.  The possibilities here
6004  * are legion because the transforms can be combined in a combinatorial
6005  * fashion.  To deal with this some measure of restraint is required, otherwise
6006  * the tests would take forever.
6007  */
6008 typedef struct image_pixel
6009 {
6010    /* A local (pngvalid) representation of a PNG pixel, in all its
6011     * various forms.
6012     */
6013    unsigned int red, green, blue, alpha; /* For non-palette images. */
6014    unsigned int palette_index;           /* For a palette image. */
6015    png_byte     colour_type;             /* As in the spec. */
6016    png_byte     bit_depth;               /* Defines bit size in row */
6017    png_byte     sample_depth;            /* Scale of samples */
6018    unsigned int have_tRNS :1;            /* tRNS chunk may need processing */
6019    unsigned int swap_rgb :1;             /* RGB swapped to BGR */
6020    unsigned int alpha_first :1;          /* Alpha at start, not end */
6021    unsigned int alpha_inverted :1;       /* Alpha channel inverted */
6022    unsigned int mono_inverted :1;        /* Gray channel inverted */
6023    unsigned int swap16 :1;               /* Byte swap 16-bit components */
6024    unsigned int littleendian :1;         /* High bits on right */
6025    unsigned int sig_bits :1;             /* Pixel shifted (sig bits only) */
6026 
6027    /* For checking the code calculates double precision floating point values
6028     * along with an error value, accumulated from the transforms.  Because an
6029     * sBIT setting allows larger error bounds (indeed, by the spec, apparently
6030     * up to just less than +/-1 in the scaled value) the *lowest* sBIT for each
6031     * channel is stored.  This sBIT value is folded in to the stored error value
6032     * at the end of the application of the transforms to the pixel.
6033     *
6034     * If sig_bits is set above the red, green, blue and alpha values have been
6035     * scaled so they only contain the significant bits of the component values.
6036     */
6037    double   redf, greenf, bluef, alphaf;
6038    double   rede, greene, bluee, alphae;
6039    png_byte red_sBIT, green_sBIT, blue_sBIT, alpha_sBIT;
6040 } image_pixel;
6041 
6042 /* Shared utility function, see below. */
6043 static void
image_pixel_setf(image_pixel * this,unsigned int rMax,unsigned int gMax,unsigned int bMax,unsigned int aMax)6044 image_pixel_setf(image_pixel *this, unsigned int rMax, unsigned int gMax,
6045         unsigned int bMax, unsigned int aMax)
6046 {
6047    this->redf = this->red / (double)rMax;
6048    this->greenf = this->green / (double)gMax;
6049    this->bluef = this->blue / (double)bMax;
6050    this->alphaf = this->alpha / (double)aMax;
6051 
6052    if (this->red < rMax)
6053       this->rede = this->redf * DBL_EPSILON;
6054    else
6055       this->rede = 0;
6056    if (this->green < gMax)
6057       this->greene = this->greenf * DBL_EPSILON;
6058    else
6059       this->greene = 0;
6060    if (this->blue < bMax)
6061       this->bluee = this->bluef * DBL_EPSILON;
6062    else
6063       this->bluee = 0;
6064    if (this->alpha < aMax)
6065       this->alphae = this->alphaf * DBL_EPSILON;
6066    else
6067       this->alphae = 0;
6068 }
6069 
6070 /* Initialize the structure for the next pixel - call this before doing any
6071  * transforms and call it for each pixel since all the fields may need to be
6072  * reset.
6073  */
6074 static void
image_pixel_init(image_pixel * this,png_const_bytep row,png_byte colour_type,png_byte bit_depth,png_uint_32 x,store_palette palette,const image_pixel * format)6075 image_pixel_init(image_pixel *this, png_const_bytep row, png_byte colour_type,
6076     png_byte bit_depth, png_uint_32 x, store_palette palette,
6077     const image_pixel *format /*from pngvalid transform of input*/)
6078 {
6079    const png_byte sample_depth = (png_byte)(colour_type ==
6080       PNG_COLOR_TYPE_PALETTE ? 8 : bit_depth);
6081    const unsigned int max = (1U<<sample_depth)-1;
6082    const int swap16 = (format != 0 && format->swap16);
6083    const int littleendian = (format != 0 && format->littleendian);
6084    const int sig_bits = (format != 0 && format->sig_bits);
6085 
6086    /* Initially just set everything to the same number and the alpha to opaque.
6087     * Note that this currently assumes a simple palette where entry x has colour
6088     * rgb(x,x,x)!
6089     */
6090    this->palette_index = this->red = this->green = this->blue =
6091       sample(row, colour_type, bit_depth, x, 0, swap16, littleendian);
6092    this->alpha = max;
6093    this->red_sBIT = this->green_sBIT = this->blue_sBIT = this->alpha_sBIT =
6094       sample_depth;
6095 
6096    /* Then override as appropriate: */
6097    if (colour_type == 3) /* palette */
6098    {
6099       /* This permits the caller to default to the sample value. */
6100       if (palette != 0)
6101       {
6102          const unsigned int i = this->palette_index;
6103 
6104          this->red = palette[i].red;
6105          this->green = palette[i].green;
6106          this->blue = palette[i].blue;
6107          this->alpha = palette[i].alpha;
6108       }
6109    }
6110 
6111    else /* not palette */
6112    {
6113       unsigned int i = 0;
6114 
6115       if ((colour_type & 4) != 0 && format != 0 && format->alpha_first)
6116       {
6117          this->alpha = this->red;
6118          /* This handles the gray case for 'AG' pixels */
6119          this->palette_index = this->red = this->green = this->blue =
6120             sample(row, colour_type, bit_depth, x, 1, swap16, littleendian);
6121          i = 1;
6122       }
6123 
6124       if (colour_type & 2)
6125       {
6126          /* Green is second for both BGR and RGB: */
6127          this->green = sample(row, colour_type, bit_depth, x, ++i, swap16,
6128                  littleendian);
6129 
6130          if (format != 0 && format->swap_rgb) /* BGR */
6131              this->red = sample(row, colour_type, bit_depth, x, ++i, swap16,
6132                      littleendian);
6133          else
6134              this->blue = sample(row, colour_type, bit_depth, x, ++i, swap16,
6135                      littleendian);
6136       }
6137 
6138       else /* grayscale */ if (format != 0 && format->mono_inverted)
6139          this->red = this->green = this->blue = this->red ^ max;
6140 
6141       if ((colour_type & 4) != 0) /* alpha */
6142       {
6143          if (format == 0 || !format->alpha_first)
6144              this->alpha = sample(row, colour_type, bit_depth, x, ++i, swap16,
6145                      littleendian);
6146 
6147          if (format != 0 && format->alpha_inverted)
6148             this->alpha ^= max;
6149       }
6150    }
6151 
6152    /* Calculate the scaled values, these are simply the values divided by
6153     * 'max' and the error is initialized to the double precision epsilon value
6154     * from the header file.
6155     */
6156    image_pixel_setf(this,
6157       sig_bits ? (1U << format->red_sBIT)-1 : max,
6158       sig_bits ? (1U << format->green_sBIT)-1 : max,
6159       sig_bits ? (1U << format->blue_sBIT)-1 : max,
6160       sig_bits ? (1U << format->alpha_sBIT)-1 : max);
6161 
6162    /* Store the input information for use in the transforms - these will
6163     * modify the information.
6164     */
6165    this->colour_type = colour_type;
6166    this->bit_depth = bit_depth;
6167    this->sample_depth = sample_depth;
6168    this->have_tRNS = 0;
6169    this->swap_rgb = 0;
6170    this->alpha_first = 0;
6171    this->alpha_inverted = 0;
6172    this->mono_inverted = 0;
6173    this->swap16 = 0;
6174    this->littleendian = 0;
6175    this->sig_bits = 0;
6176 }
6177 
6178 #if defined PNG_READ_EXPAND_SUPPORTED || defined PNG_READ_GRAY_TO_RGB_SUPPORTED\
6179    || defined PNG_READ_EXPAND_SUPPORTED || defined PNG_READ_EXPAND_16_SUPPORTED\
6180    || defined PNG_READ_BACKGROUND_SUPPORTED
6181 /* Convert a palette image to an rgb image.  This necessarily converts the tRNS
6182  * chunk at the same time, because the tRNS will be in palette form.  The way
6183  * palette validation works means that the original palette is never updated,
6184  * instead the image_pixel value from the row contains the RGB of the
6185  * corresponding palette entry and *this* is updated.  Consequently this routine
6186  * only needs to change the colour type information.
6187  */
6188 static void
image_pixel_convert_PLTE(image_pixel * this)6189 image_pixel_convert_PLTE(image_pixel *this)
6190 {
6191    if (this->colour_type == PNG_COLOR_TYPE_PALETTE)
6192    {
6193       if (this->have_tRNS)
6194       {
6195          this->colour_type = PNG_COLOR_TYPE_RGB_ALPHA;
6196          this->have_tRNS = 0;
6197       }
6198       else
6199          this->colour_type = PNG_COLOR_TYPE_RGB;
6200 
6201       /* The bit depth of the row changes at this point too (notice that this is
6202        * the row format, not the sample depth, which is separate.)
6203        */
6204       this->bit_depth = 8;
6205    }
6206 }
6207 
6208 /* Add an alpha channel; this will import the tRNS information because tRNS is
6209  * not valid in an alpha image.  The bit depth will invariably be set to at
6210  * least 8 prior to 1.7.0.  Palette images will be converted to alpha (using
6211  * the above API).  With png_set_background the alpha channel is never expanded
6212  * but this routine is used by pngvalid to simplify code; 'for_background'
6213  * records this.
6214  */
6215 static void
image_pixel_add_alpha(image_pixel * this,const standard_display * display,int for_background)6216 image_pixel_add_alpha(image_pixel *this, const standard_display *display,
6217    int for_background)
6218 {
6219    if (this->colour_type == PNG_COLOR_TYPE_PALETTE)
6220       image_pixel_convert_PLTE(this);
6221 
6222    if ((this->colour_type & PNG_COLOR_MASK_ALPHA) == 0)
6223    {
6224       if (this->colour_type == PNG_COLOR_TYPE_GRAY)
6225       {
6226 #        if PNG_LIBPNG_VER < 10700
6227             if (!for_background && this->bit_depth < 8)
6228                this->bit_depth = this->sample_depth = 8;
6229 #        endif
6230 
6231          if (this->have_tRNS)
6232          {
6233             /* After 1.7 the expansion of bit depth only happens if there is a
6234              * tRNS chunk to expand at this point.
6235              */
6236 #           if PNG_LIBPNG_VER >= 10700
6237                if (!for_background && this->bit_depth < 8)
6238                   this->bit_depth = this->sample_depth = 8;
6239 #           endif
6240 
6241             this->have_tRNS = 0;
6242 
6243             /* Check the input, original, channel value here against the
6244              * original tRNS gray chunk valie.
6245              */
6246             if (this->red == display->transparent.red)
6247                this->alphaf = 0;
6248             else
6249                this->alphaf = 1;
6250          }
6251          else
6252             this->alphaf = 1;
6253 
6254          this->colour_type = PNG_COLOR_TYPE_GRAY_ALPHA;
6255       }
6256 
6257       else if (this->colour_type == PNG_COLOR_TYPE_RGB)
6258       {
6259          if (this->have_tRNS)
6260          {
6261             this->have_tRNS = 0;
6262 
6263             /* Again, check the exact input values, not the current transformed
6264              * value!
6265              */
6266             if (this->red == display->transparent.red &&
6267                this->green == display->transparent.green &&
6268                this->blue == display->transparent.blue)
6269                this->alphaf = 0;
6270             else
6271                this->alphaf = 1;
6272          }
6273          else
6274             this->alphaf = 1;
6275 
6276          this->colour_type = PNG_COLOR_TYPE_RGB_ALPHA;
6277       }
6278 
6279       /* The error in the alpha is zero and the sBIT value comes from the
6280        * original sBIT data (actually it will always be the original bit depth).
6281        */
6282       this->alphae = 0;
6283       this->alpha_sBIT = display->alpha_sBIT;
6284    }
6285 }
6286 #endif /* transforms that need image_pixel_add_alpha */
6287 
6288 struct transform_display;
6289 typedef struct image_transform
6290 {
6291    /* The name of this transform: a string. */
6292    const char *name;
6293 
6294    /* Each transform can be disabled from the command line: */
6295    int enable;
6296 
6297    /* The global list of transforms; read only. */
6298    struct image_transform *const list;
6299 
6300    /* The global count of the number of times this transform has been set on an
6301     * image.
6302     */
6303    unsigned int global_use;
6304 
6305    /* The local count of the number of times this transform has been set. */
6306    unsigned int local_use;
6307 
6308    /* The next transform in the list, each transform must call its own next
6309     * transform after it has processed the pixel successfully.
6310     */
6311    const struct image_transform *next;
6312 
6313    /* A single transform for the image, expressed as a series of function
6314     * callbacks and some space for values.
6315     *
6316     * First a callback to add any required modifications to the png_modifier;
6317     * this gets called just before the modifier is set up for read.
6318     */
6319    void (*ini)(const struct image_transform *this,
6320       struct transform_display *that);
6321 
6322    /* And a callback to set the transform on the current png_read_struct:
6323     */
6324    void (*set)(const struct image_transform *this,
6325       struct transform_display *that, png_structp pp, png_infop pi);
6326 
6327    /* Then a transform that takes an input pixel in one PNG format or another
6328     * and modifies it by a pngvalid implementation of the transform (thus
6329     * duplicating the libpng intent without, we hope, duplicating the bugs
6330     * in the libpng implementation!)  The png_structp is solely to allow error
6331     * reporting via png_error and png_warning.
6332     */
6333    void (*mod)(const struct image_transform *this, image_pixel *that,
6334       png_const_structp pp, const struct transform_display *display);
6335 
6336    /* Add this transform to the list and return true if the transform is
6337     * meaningful for this colour type and bit depth - if false then the
6338     * transform should have no effect on the image so there's not a lot of
6339     * point running it.
6340     */
6341    int (*add)(struct image_transform *this,
6342       const struct image_transform **that, png_byte colour_type,
6343       png_byte bit_depth);
6344 } image_transform;
6345 
6346 typedef struct transform_display
6347 {
6348    standard_display this;
6349 
6350    /* Parameters */
6351    png_modifier*              pm;
6352    const image_transform* transform_list;
6353    unsigned int max_gamma_8;
6354 
6355    /* Local variables */
6356    png_byte output_colour_type;
6357    png_byte output_bit_depth;
6358    png_byte unpacked;
6359 
6360    /* Modifications (not necessarily used.) */
6361    gama_modification gama_mod;
6362    chrm_modification chrm_mod;
6363    srgb_modification srgb_mod;
6364 } transform_display;
6365 
6366 /* Set sRGB, cHRM and gAMA transforms as required by the current encoding. */
6367 static void
transform_set_encoding(transform_display * this)6368 transform_set_encoding(transform_display *this)
6369 {
6370    /* Set up the png_modifier '_current' fields then use these to determine how
6371     * to add appropriate chunks.
6372     */
6373    png_modifier *pm = this->pm;
6374 
6375    modifier_set_encoding(pm);
6376 
6377    if (modifier_color_encoding_is_set(pm))
6378    {
6379       if (modifier_color_encoding_is_sRGB(pm))
6380          srgb_modification_init(&this->srgb_mod, pm, PNG_sRGB_INTENT_ABSOLUTE);
6381 
6382       else
6383       {
6384          /* Set gAMA and cHRM separately. */
6385          gama_modification_init(&this->gama_mod, pm, pm->current_gamma);
6386 
6387          if (pm->current_encoding != 0)
6388             chrm_modification_init(&this->chrm_mod, pm, pm->current_encoding);
6389       }
6390    }
6391 }
6392 
6393 /* Three functions to end the list: */
6394 static void
image_transform_ini_end(const image_transform * this,transform_display * that)6395 image_transform_ini_end(const image_transform *this,
6396    transform_display *that)
6397 {
6398    UNUSED(this)
6399    UNUSED(that)
6400 }
6401 
6402 static void
image_transform_set_end(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)6403 image_transform_set_end(const image_transform *this,
6404    transform_display *that, png_structp pp, png_infop pi)
6405 {
6406    UNUSED(this)
6407    UNUSED(that)
6408    UNUSED(pp)
6409    UNUSED(pi)
6410 }
6411 
6412 /* At the end of the list recalculate the output image pixel value from the
6413  * double precision values set up by the preceding 'mod' calls:
6414  */
6415 static unsigned int
sample_scale(double sample_value,unsigned int scale)6416 sample_scale(double sample_value, unsigned int scale)
6417 {
6418    sample_value = floor(sample_value * scale + .5);
6419 
6420    /* Return NaN as 0: */
6421    if (!(sample_value > 0))
6422       sample_value = 0;
6423    else if (sample_value > scale)
6424       sample_value = scale;
6425 
6426    return (unsigned int)sample_value;
6427 }
6428 
6429 static void
image_transform_mod_end(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)6430 image_transform_mod_end(const image_transform *this, image_pixel *that,
6431     png_const_structp pp, const transform_display *display)
6432 {
6433    const unsigned int scale = (1U<<that->sample_depth)-1;
6434    const int sig_bits = that->sig_bits;
6435 
6436    UNUSED(this)
6437    UNUSED(pp)
6438    UNUSED(display)
6439 
6440    /* At the end recalculate the digitized red green and blue values according
6441     * to the current sample_depth of the pixel.
6442     *
6443     * The sample value is simply scaled to the maximum, checking for over
6444     * and underflow (which can both happen for some image transforms,
6445     * including simple size scaling, though libpng doesn't do that at present.
6446     */
6447    that->red = sample_scale(that->redf, scale);
6448 
6449    /* This is a bit bogus; really the above calculation should use the red_sBIT
6450     * value, not sample_depth, but because libpng does png_set_shift by just
6451     * shifting the bits we get errors if we don't do it the same way.
6452     */
6453    if (sig_bits && that->red_sBIT < that->sample_depth)
6454       that->red >>= that->sample_depth - that->red_sBIT;
6455 
6456    /* The error value is increased, at the end, according to the lowest sBIT
6457     * value seen.  Common sense tells us that the intermediate integer
6458     * representations are no more accurate than +/- 0.5 in the integral values,
6459     * the sBIT allows the implementation to be worse than this.  In addition the
6460     * PNG specification actually permits any error within the range (-1..+1),
6461     * but that is ignored here.  Instead the final digitized value is compared,
6462     * below to the digitized value of the error limits - this has the net effect
6463     * of allowing (almost) +/-1 in the output value.  It's difficult to see how
6464     * any algorithm that digitizes intermediate results can be more accurate.
6465     */
6466    that->rede += 1./(2*((1U<<that->red_sBIT)-1));
6467 
6468    if (that->colour_type & PNG_COLOR_MASK_COLOR)
6469    {
6470       that->green = sample_scale(that->greenf, scale);
6471       if (sig_bits && that->green_sBIT < that->sample_depth)
6472          that->green >>= that->sample_depth - that->green_sBIT;
6473 
6474       that->blue = sample_scale(that->bluef, scale);
6475       if (sig_bits && that->blue_sBIT < that->sample_depth)
6476          that->blue >>= that->sample_depth - that->blue_sBIT;
6477 
6478       that->greene += 1./(2*((1U<<that->green_sBIT)-1));
6479       that->bluee += 1./(2*((1U<<that->blue_sBIT)-1));
6480    }
6481    else
6482    {
6483       that->blue = that->green = that->red;
6484       that->bluef = that->greenf = that->redf;
6485       that->bluee = that->greene = that->rede;
6486    }
6487 
6488    if ((that->colour_type & PNG_COLOR_MASK_ALPHA) ||
6489       that->colour_type == PNG_COLOR_TYPE_PALETTE)
6490    {
6491       that->alpha = sample_scale(that->alphaf, scale);
6492       that->alphae += 1./(2*((1U<<that->alpha_sBIT)-1));
6493    }
6494    else
6495    {
6496       that->alpha = scale; /* opaque */
6497       that->alphaf = 1;    /* Override this. */
6498       that->alphae = 0;    /* It's exact ;-) */
6499    }
6500 
6501    if (sig_bits && that->alpha_sBIT < that->sample_depth)
6502       that->alpha >>= that->sample_depth - that->alpha_sBIT;
6503 }
6504 
6505 /* Static 'end' structure: */
6506 static image_transform image_transform_end =
6507 {
6508    "(end)", /* name */
6509    1, /* enable */
6510    0, /* list */
6511    0, /* global_use */
6512    0, /* local_use */
6513    0, /* next */
6514    image_transform_ini_end,
6515    image_transform_set_end,
6516    image_transform_mod_end,
6517    0 /* never called, I want it to crash if it is! */
6518 };
6519 
6520 /* Reader callbacks and implementations, where they differ from the standard
6521  * ones.
6522  */
6523 static void
transform_display_init(transform_display * dp,png_modifier * pm,png_uint_32 id,const image_transform * transform_list)6524 transform_display_init(transform_display *dp, png_modifier *pm, png_uint_32 id,
6525     const image_transform *transform_list)
6526 {
6527    memset(dp, 0, sizeof *dp);
6528 
6529    /* Standard fields */
6530    standard_display_init(&dp->this, &pm->this, id, do_read_interlace,
6531       pm->use_update_info);
6532 
6533    /* Parameter fields */
6534    dp->pm = pm;
6535    dp->transform_list = transform_list;
6536    dp->max_gamma_8 = 16;
6537 
6538    /* Local variable fields */
6539    dp->output_colour_type = 255; /* invalid */
6540    dp->output_bit_depth = 255;  /* invalid */
6541    dp->unpacked = 0; /* not unpacked */
6542 }
6543 
6544 static void
transform_info_imp(transform_display * dp,png_structp pp,png_infop pi)6545 transform_info_imp(transform_display *dp, png_structp pp, png_infop pi)
6546 {
6547    /* Reuse the standard stuff as appropriate. */
6548    standard_info_part1(&dp->this, pp, pi);
6549 
6550    /* Now set the list of transforms. */
6551    dp->transform_list->set(dp->transform_list, dp, pp, pi);
6552 
6553    /* Update the info structure for these transforms: */
6554    {
6555       int i = dp->this.use_update_info;
6556       /* Always do one call, even if use_update_info is 0. */
6557       do
6558          png_read_update_info(pp, pi);
6559       while (--i > 0);
6560    }
6561 
6562    /* And get the output information into the standard_display */
6563    standard_info_part2(&dp->this, pp, pi, 1/*images*/);
6564 
6565    /* Plus the extra stuff we need for the transform tests: */
6566    dp->output_colour_type = png_get_color_type(pp, pi);
6567    dp->output_bit_depth = png_get_bit_depth(pp, pi);
6568 
6569    /* If png_set_filler is in action then fake the output color type to include
6570     * an alpha channel where appropriate.
6571     */
6572    if (dp->output_bit_depth >= 8 &&
6573        (dp->output_colour_type == PNG_COLOR_TYPE_RGB ||
6574         dp->output_colour_type == PNG_COLOR_TYPE_GRAY) && dp->this.filler)
6575        dp->output_colour_type |= 4;
6576 
6577    /* Validate the combination of colour type and bit depth that we are getting
6578     * out of libpng; the semantics of something not in the PNG spec are, at
6579     * best, unclear.
6580     */
6581    switch (dp->output_colour_type)
6582    {
6583    case PNG_COLOR_TYPE_PALETTE:
6584       if (dp->output_bit_depth > 8) goto error;
6585       /*FALL THROUGH*/
6586    case PNG_COLOR_TYPE_GRAY:
6587       if (dp->output_bit_depth == 1 || dp->output_bit_depth == 2 ||
6588          dp->output_bit_depth == 4)
6589          break;
6590       /*FALL THROUGH*/
6591    default:
6592       if (dp->output_bit_depth == 8 || dp->output_bit_depth == 16)
6593          break;
6594       /*FALL THROUGH*/
6595    error:
6596       {
6597          char message[128];
6598          size_t pos;
6599 
6600          pos = safecat(message, sizeof message, 0,
6601             "invalid final bit depth: colour type(");
6602          pos = safecatn(message, sizeof message, pos, dp->output_colour_type);
6603          pos = safecat(message, sizeof message, pos, ") with bit depth: ");
6604          pos = safecatn(message, sizeof message, pos, dp->output_bit_depth);
6605 
6606          png_error(pp, message);
6607       }
6608    }
6609 
6610    /* Use a test pixel to check that the output agrees with what we expect -
6611     * this avoids running the whole test if the output is unexpected.  This also
6612     * checks for internal errors.
6613     */
6614    {
6615       image_pixel test_pixel;
6616 
6617       memset(&test_pixel, 0, sizeof test_pixel);
6618       test_pixel.colour_type = dp->this.colour_type; /* input */
6619       test_pixel.bit_depth = dp->this.bit_depth;
6620       if (test_pixel.colour_type == PNG_COLOR_TYPE_PALETTE)
6621          test_pixel.sample_depth = 8;
6622       else
6623          test_pixel.sample_depth = test_pixel.bit_depth;
6624       /* Don't need sBIT here, but it must be set to non-zero to avoid
6625        * arithmetic overflows.
6626        */
6627       test_pixel.have_tRNS = dp->this.is_transparent != 0;
6628       test_pixel.red_sBIT = test_pixel.green_sBIT = test_pixel.blue_sBIT =
6629          test_pixel.alpha_sBIT = test_pixel.sample_depth;
6630 
6631       dp->transform_list->mod(dp->transform_list, &test_pixel, pp, dp);
6632 
6633       if (test_pixel.colour_type != dp->output_colour_type)
6634       {
6635          char message[128];
6636          size_t pos = safecat(message, sizeof message, 0, "colour type ");
6637 
6638          pos = safecatn(message, sizeof message, pos, dp->output_colour_type);
6639          pos = safecat(message, sizeof message, pos, " expected ");
6640          pos = safecatn(message, sizeof message, pos, test_pixel.colour_type);
6641 
6642          png_error(pp, message);
6643       }
6644 
6645       if (test_pixel.bit_depth != dp->output_bit_depth)
6646       {
6647          char message[128];
6648          size_t pos = safecat(message, sizeof message, 0, "bit depth ");
6649 
6650          pos = safecatn(message, sizeof message, pos, dp->output_bit_depth);
6651          pos = safecat(message, sizeof message, pos, " expected ");
6652          pos = safecatn(message, sizeof message, pos, test_pixel.bit_depth);
6653 
6654          png_error(pp, message);
6655       }
6656 
6657       /* If both bit depth and colour type are correct check the sample depth.
6658        */
6659       if (test_pixel.colour_type == PNG_COLOR_TYPE_PALETTE &&
6660           test_pixel.sample_depth != 8) /* oops - internal error! */
6661          png_error(pp, "pngvalid: internal: palette sample depth not 8");
6662       else if (dp->unpacked && test_pixel.bit_depth != 8)
6663          png_error(pp, "pngvalid: internal: bad unpacked pixel depth");
6664       else if (!dp->unpacked && test_pixel.colour_type != PNG_COLOR_TYPE_PALETTE
6665               && test_pixel.bit_depth != test_pixel.sample_depth)
6666       {
6667          char message[128];
6668          size_t pos = safecat(message, sizeof message, 0,
6669             "internal: sample depth ");
6670 
6671          /* Because unless something has set 'unpacked' or the image is palette
6672           * mapped we expect the transform to keep sample depth and bit depth
6673           * the same.
6674           */
6675          pos = safecatn(message, sizeof message, pos, test_pixel.sample_depth);
6676          pos = safecat(message, sizeof message, pos, " expected ");
6677          pos = safecatn(message, sizeof message, pos, test_pixel.bit_depth);
6678 
6679          png_error(pp, message);
6680       }
6681       else if (test_pixel.bit_depth != dp->output_bit_depth)
6682       {
6683          /* This could be a libpng error too; libpng has not produced what we
6684           * expect for the output bit depth.
6685           */
6686          char message[128];
6687          size_t pos = safecat(message, sizeof message, 0,
6688             "internal: bit depth ");
6689 
6690          pos = safecatn(message, sizeof message, pos, dp->output_bit_depth);
6691          pos = safecat(message, sizeof message, pos, " expected ");
6692          pos = safecatn(message, sizeof message, pos, test_pixel.bit_depth);
6693 
6694          png_error(pp, message);
6695       }
6696    }
6697 }
6698 
6699 static void PNGCBAPI
transform_info(png_structp pp,png_infop pi)6700 transform_info(png_structp pp, png_infop pi)
6701 {
6702    transform_info_imp(voidcast(transform_display*, png_get_progressive_ptr(pp)),
6703       pp, pi);
6704 }
6705 
6706 static void
transform_range_check(png_const_structp pp,unsigned int r,unsigned int g,unsigned int b,unsigned int a,unsigned int in_digitized,double in,unsigned int out,png_byte sample_depth,double err,double limit,const char * name,double digitization_error)6707 transform_range_check(png_const_structp pp, unsigned int r, unsigned int g,
6708    unsigned int b, unsigned int a, unsigned int in_digitized, double in,
6709    unsigned int out, png_byte sample_depth, double err, double limit,
6710    const char *name, double digitization_error)
6711 {
6712    /* Compare the scaled, digitzed, values of our local calculation (in+-err)
6713     * with the digitized values libpng produced;  'sample_depth' is the actual
6714     * digitization depth of the libpng output colors (the bit depth except for
6715     * palette images where it is always 8.)  The check on 'err' is to detect
6716     * internal errors in pngvalid itself.
6717     */
6718    unsigned int max = (1U<<sample_depth)-1;
6719    double in_min = ceil((in-err)*max - digitization_error);
6720    double in_max = floor((in+err)*max + digitization_error);
6721    if (debugonly(err > limit ||) !(out >= in_min && out <= in_max))
6722    {
6723       char message[256];
6724       size_t pos;
6725 
6726       pos = safecat(message, sizeof message, 0, name);
6727       pos = safecat(message, sizeof message, pos, " output value error: rgba(");
6728       pos = safecatn(message, sizeof message, pos, r);
6729       pos = safecat(message, sizeof message, pos, ",");
6730       pos = safecatn(message, sizeof message, pos, g);
6731       pos = safecat(message, sizeof message, pos, ",");
6732       pos = safecatn(message, sizeof message, pos, b);
6733       pos = safecat(message, sizeof message, pos, ",");
6734       pos = safecatn(message, sizeof message, pos, a);
6735       pos = safecat(message, sizeof message, pos, "): ");
6736       pos = safecatn(message, sizeof message, pos, out);
6737       pos = safecat(message, sizeof message, pos, " expected: ");
6738       pos = safecatn(message, sizeof message, pos, in_digitized);
6739       pos = safecat(message, sizeof message, pos, " (");
6740       pos = safecatd(message, sizeof message, pos, (in-err)*max, 3);
6741       pos = safecat(message, sizeof message, pos, "..");
6742       pos = safecatd(message, sizeof message, pos, (in+err)*max, 3);
6743       pos = safecat(message, sizeof message, pos, ")");
6744 
6745       png_error(pp, message);
6746    }
6747 
6748    UNUSED(limit)
6749 }
6750 
6751 static void
transform_image_validate(transform_display * dp,png_const_structp pp,png_infop pi)6752 transform_image_validate(transform_display *dp, png_const_structp pp,
6753    png_infop pi)
6754 {
6755    /* Constants for the loop below: */
6756    const png_store* const ps = dp->this.ps;
6757    const png_byte in_ct = dp->this.colour_type;
6758    const png_byte in_bd = dp->this.bit_depth;
6759    const png_uint_32 w = dp->this.w;
6760    const png_uint_32 h = dp->this.h;
6761    const png_byte out_ct = dp->output_colour_type;
6762    const png_byte out_bd = dp->output_bit_depth;
6763    const png_byte sample_depth = (png_byte)(out_ct ==
6764       PNG_COLOR_TYPE_PALETTE ? 8 : out_bd);
6765    const png_byte red_sBIT = dp->this.red_sBIT;
6766    const png_byte green_sBIT = dp->this.green_sBIT;
6767    const png_byte blue_sBIT = dp->this.blue_sBIT;
6768    const png_byte alpha_sBIT = dp->this.alpha_sBIT;
6769    const int have_tRNS = dp->this.is_transparent;
6770    double digitization_error;
6771 
6772    store_palette out_palette;
6773    png_uint_32 y;
6774 
6775    UNUSED(pi)
6776 
6777    /* Check for row overwrite errors */
6778    store_image_check(dp->this.ps, pp, 0);
6779 
6780    /* Read the palette corresponding to the output if the output colour type
6781     * indicates a palette, othewise set out_palette to garbage.
6782     */
6783    if (out_ct == PNG_COLOR_TYPE_PALETTE)
6784    {
6785       /* Validate that the palette count itself has not changed - this is not
6786        * expected.
6787        */
6788       int npalette = (-1);
6789 
6790       (void)read_palette(out_palette, &npalette, pp, pi);
6791       if (npalette != dp->this.npalette)
6792          png_error(pp, "unexpected change in palette size");
6793 
6794       digitization_error = .5;
6795    }
6796    else
6797    {
6798       png_byte in_sample_depth;
6799 
6800       memset(out_palette, 0x5e, sizeof out_palette);
6801 
6802       /* use-input-precision means assume that if the input has 8 bit (or less)
6803        * samples and the output has 16 bit samples the calculations will be done
6804        * with 8 bit precision, not 16.
6805        */
6806       if (in_ct == PNG_COLOR_TYPE_PALETTE || in_bd < 16)
6807          in_sample_depth = 8;
6808       else
6809          in_sample_depth = in_bd;
6810 
6811       if (sample_depth != 16 || in_sample_depth > 8 ||
6812          !dp->pm->calculations_use_input_precision)
6813          digitization_error = .5;
6814 
6815       /* Else calculations are at 8 bit precision, and the output actually
6816        * consists of scaled 8-bit values, so scale .5 in 8 bits to the 16 bits:
6817        */
6818       else
6819          digitization_error = .5 * 257;
6820    }
6821 
6822    for (y=0; y<h; ++y)
6823    {
6824       png_const_bytep const pRow = store_image_row(ps, pp, 0, y);
6825       png_uint_32 x;
6826 
6827       /* The original, standard, row pre-transforms. */
6828       png_byte std[STANDARD_ROWMAX];
6829 
6830       transform_row(pp, std, in_ct, in_bd, y);
6831 
6832       /* Go through each original pixel transforming it and comparing with what
6833        * libpng did to the same pixel.
6834        */
6835       for (x=0; x<w; ++x)
6836       {
6837          image_pixel in_pixel, out_pixel;
6838          unsigned int r, g, b, a;
6839 
6840          /* Find out what we think the pixel should be: */
6841          image_pixel_init(&in_pixel, std, in_ct, in_bd, x, dp->this.palette,
6842                  NULL);
6843 
6844          in_pixel.red_sBIT = red_sBIT;
6845          in_pixel.green_sBIT = green_sBIT;
6846          in_pixel.blue_sBIT = blue_sBIT;
6847          in_pixel.alpha_sBIT = alpha_sBIT;
6848          in_pixel.have_tRNS = have_tRNS != 0;
6849 
6850          /* For error detection, below. */
6851          r = in_pixel.red;
6852          g = in_pixel.green;
6853          b = in_pixel.blue;
6854          a = in_pixel.alpha;
6855 
6856          /* This applies the transforms to the input data, including output
6857           * format operations which must be used when reading the output
6858           * pixel that libpng produces.
6859           */
6860          dp->transform_list->mod(dp->transform_list, &in_pixel, pp, dp);
6861 
6862          /* Read the output pixel and compare it to what we got, we don't
6863           * use the error field here, so no need to update sBIT.  in_pixel
6864           * says whether we expect libpng to change the output format.
6865           */
6866          image_pixel_init(&out_pixel, pRow, out_ct, out_bd, x, out_palette,
6867                  &in_pixel);
6868 
6869          /* We don't expect changes to the index here even if the bit depth is
6870           * changed.
6871           */
6872          if (in_ct == PNG_COLOR_TYPE_PALETTE &&
6873             out_ct == PNG_COLOR_TYPE_PALETTE)
6874          {
6875             if (in_pixel.palette_index != out_pixel.palette_index)
6876                png_error(pp, "unexpected transformed palette index");
6877          }
6878 
6879          /* Check the colours for palette images too - in fact the palette could
6880           * be separately verified itself in most cases.
6881           */
6882          if (in_pixel.red != out_pixel.red)
6883             transform_range_check(pp, r, g, b, a, in_pixel.red, in_pixel.redf,
6884                out_pixel.red, sample_depth, in_pixel.rede,
6885                dp->pm->limit + 1./(2*((1U<<in_pixel.red_sBIT)-1)), "red/gray",
6886                digitization_error);
6887 
6888          if ((out_ct & PNG_COLOR_MASK_COLOR) != 0 &&
6889             in_pixel.green != out_pixel.green)
6890             transform_range_check(pp, r, g, b, a, in_pixel.green,
6891                in_pixel.greenf, out_pixel.green, sample_depth, in_pixel.greene,
6892                dp->pm->limit + 1./(2*((1U<<in_pixel.green_sBIT)-1)), "green",
6893                digitization_error);
6894 
6895          if ((out_ct & PNG_COLOR_MASK_COLOR) != 0 &&
6896             in_pixel.blue != out_pixel.blue)
6897             transform_range_check(pp, r, g, b, a, in_pixel.blue, in_pixel.bluef,
6898                out_pixel.blue, sample_depth, in_pixel.bluee,
6899                dp->pm->limit + 1./(2*((1U<<in_pixel.blue_sBIT)-1)), "blue",
6900                digitization_error);
6901 
6902          if ((out_ct & PNG_COLOR_MASK_ALPHA) != 0 &&
6903             in_pixel.alpha != out_pixel.alpha)
6904             transform_range_check(pp, r, g, b, a, in_pixel.alpha,
6905                in_pixel.alphaf, out_pixel.alpha, sample_depth, in_pixel.alphae,
6906                dp->pm->limit + 1./(2*((1U<<in_pixel.alpha_sBIT)-1)), "alpha",
6907                digitization_error);
6908       } /* pixel (x) loop */
6909    } /* row (y) loop */
6910 
6911    /* Record that something was actually checked to avoid a false positive. */
6912    dp->this.ps->validated = 1;
6913 }
6914 
6915 static void PNGCBAPI
transform_end(png_structp ppIn,png_infop pi)6916 transform_end(png_structp ppIn, png_infop pi)
6917 {
6918    png_const_structp pp = ppIn;
6919    transform_display *dp = voidcast(transform_display*,
6920       png_get_progressive_ptr(pp));
6921 
6922    if (!dp->this.speed)
6923       transform_image_validate(dp, pp, pi);
6924    else
6925       dp->this.ps->validated = 1;
6926 }
6927 
6928 /* A single test run. */
6929 static void
transform_test(png_modifier * pmIn,const png_uint_32 idIn,const image_transform * transform_listIn,const char * const name)6930 transform_test(png_modifier *pmIn, const png_uint_32 idIn,
6931     const image_transform* transform_listIn, const char * const name)
6932 {
6933    transform_display d;
6934    context(&pmIn->this, fault);
6935 
6936    transform_display_init(&d, pmIn, idIn, transform_listIn);
6937 
6938    Try
6939    {
6940       size_t pos = 0;
6941       png_structp pp;
6942       png_infop pi;
6943       char full_name[256];
6944 
6945       /* Make sure the encoding fields are correct and enter the required
6946        * modifications.
6947        */
6948       transform_set_encoding(&d);
6949 
6950       /* Add any modifications required by the transform list. */
6951       d.transform_list->ini(d.transform_list, &d);
6952 
6953       /* Add the color space information, if any, to the name. */
6954       pos = safecat(full_name, sizeof full_name, pos, name);
6955       pos = safecat_current_encoding(full_name, sizeof full_name, pos, d.pm);
6956 
6957       /* Get a png_struct for reading the image. */
6958       pp = set_modifier_for_read(d.pm, &pi, d.this.id, full_name);
6959       standard_palette_init(&d.this);
6960 
6961 #     if 0
6962          /* Logging (debugging only) */
6963          {
6964             char buffer[256];
6965 
6966             (void)store_message(&d.pm->this, pp, buffer, sizeof buffer, 0,
6967                "running test");
6968 
6969             fprintf(stderr, "%s\n", buffer);
6970          }
6971 #     endif
6972 
6973       /* Introduce the correct read function. */
6974       if (d.pm->this.progressive)
6975       {
6976          /* Share the row function with the standard implementation. */
6977          png_set_progressive_read_fn(pp, &d, transform_info, progressive_row,
6978             transform_end);
6979 
6980          /* Now feed data into the reader until we reach the end: */
6981          modifier_progressive_read(d.pm, pp, pi);
6982       }
6983       else
6984       {
6985          /* modifier_read expects a png_modifier* */
6986          png_set_read_fn(pp, d.pm, modifier_read);
6987 
6988          /* Check the header values: */
6989          png_read_info(pp, pi);
6990 
6991          /* Process the 'info' requirements. Only one image is generated */
6992          transform_info_imp(&d, pp, pi);
6993 
6994          sequential_row(&d.this, pp, pi, -1, 0);
6995 
6996          if (!d.this.speed)
6997             transform_image_validate(&d, pp, pi);
6998          else
6999             d.this.ps->validated = 1;
7000       }
7001 
7002       modifier_reset(d.pm);
7003    }
7004 
7005    Catch(fault)
7006    {
7007       modifier_reset(voidcast(png_modifier*,(void*)fault));
7008    }
7009 }
7010 
7011 /* The transforms: */
7012 #define ITSTRUCT(name) image_transform_##name
7013 #define ITDATA(name) image_transform_data_##name
7014 #define image_transform_ini image_transform_default_ini
7015 #define IT(name)\
7016 static image_transform ITSTRUCT(name) =\
7017 {\
7018    #name,\
7019    1, /*enable*/\
7020    &PT, /*list*/\
7021    0, /*global_use*/\
7022    0, /*local_use*/\
7023    0, /*next*/\
7024    image_transform_ini,\
7025    image_transform_png_set_##name##_set,\
7026    image_transform_png_set_##name##_mod,\
7027    image_transform_png_set_##name##_add\
7028 }
7029 #define PT ITSTRUCT(end) /* stores the previous transform */
7030 
7031 /* To save code: */
7032 extern void image_transform_default_ini(const image_transform *this,
7033    transform_display *that); /* silence GCC warnings */
7034 
7035 void /* private, but almost always needed */
image_transform_default_ini(const image_transform * this,transform_display * that)7036 image_transform_default_ini(const image_transform *this,
7037     transform_display *that)
7038 {
7039    this->next->ini(this->next, that);
7040 }
7041 
7042 #ifdef PNG_READ_BACKGROUND_SUPPORTED
7043 static int
image_transform_default_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)7044 image_transform_default_add(image_transform *this,
7045     const image_transform **that, png_byte colour_type, png_byte bit_depth)
7046 {
7047    UNUSED(colour_type)
7048    UNUSED(bit_depth)
7049 
7050    this->next = *that;
7051    *that = this;
7052 
7053    return 1;
7054 }
7055 #endif
7056 
7057 #ifdef PNG_READ_EXPAND_SUPPORTED
7058 /* png_set_palette_to_rgb */
7059 static void
image_transform_png_set_palette_to_rgb_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)7060 image_transform_png_set_palette_to_rgb_set(const image_transform *this,
7061     transform_display *that, png_structp pp, png_infop pi)
7062 {
7063    png_set_palette_to_rgb(pp);
7064    this->next->set(this->next, that, pp, pi);
7065 }
7066 
7067 static void
image_transform_png_set_palette_to_rgb_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)7068 image_transform_png_set_palette_to_rgb_mod(const image_transform *this,
7069     image_pixel *that, png_const_structp pp,
7070     const transform_display *display)
7071 {
7072    if (that->colour_type == PNG_COLOR_TYPE_PALETTE)
7073       image_pixel_convert_PLTE(that);
7074 
7075    this->next->mod(this->next, that, pp, display);
7076 }
7077 
7078 static int
image_transform_png_set_palette_to_rgb_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)7079 image_transform_png_set_palette_to_rgb_add(image_transform *this,
7080     const image_transform **that, png_byte colour_type, png_byte bit_depth)
7081 {
7082    UNUSED(bit_depth)
7083 
7084    this->next = *that;
7085    *that = this;
7086 
7087    return colour_type == PNG_COLOR_TYPE_PALETTE;
7088 }
7089 
7090 IT(palette_to_rgb);
7091 #undef PT
7092 #define PT ITSTRUCT(palette_to_rgb)
7093 #endif /* PNG_READ_EXPAND_SUPPORTED */
7094 
7095 #ifdef PNG_READ_EXPAND_SUPPORTED
7096 /* png_set_tRNS_to_alpha */
7097 static void
image_transform_png_set_tRNS_to_alpha_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)7098 image_transform_png_set_tRNS_to_alpha_set(const image_transform *this,
7099    transform_display *that, png_structp pp, png_infop pi)
7100 {
7101    png_set_tRNS_to_alpha(pp);
7102 
7103    /* If there was a tRNS chunk that would get expanded and add an alpha
7104     * channel is_transparent must be updated:
7105     */
7106    if (that->this.has_tRNS)
7107       that->this.is_transparent = 1;
7108 
7109    this->next->set(this->next, that, pp, pi);
7110 }
7111 
7112 static void
image_transform_png_set_tRNS_to_alpha_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)7113 image_transform_png_set_tRNS_to_alpha_mod(const image_transform *this,
7114    image_pixel *that, png_const_structp pp,
7115    const transform_display *display)
7116 {
7117 #if PNG_LIBPNG_VER < 10700
7118    /* LIBPNG BUG: this always forces palette images to RGB. */
7119    if (that->colour_type == PNG_COLOR_TYPE_PALETTE)
7120       image_pixel_convert_PLTE(that);
7121 #endif
7122 
7123    /* This effectively does an 'expand' only if there is some transparency to
7124     * convert to an alpha channel.
7125     */
7126    if (that->have_tRNS)
7127 #     if PNG_LIBPNG_VER >= 10700
7128          if (that->colour_type != PNG_COLOR_TYPE_PALETTE &&
7129              (that->colour_type & PNG_COLOR_MASK_ALPHA) == 0)
7130 #     endif
7131       image_pixel_add_alpha(that, &display->this, 0/*!for background*/);
7132 
7133 #if PNG_LIBPNG_VER < 10700
7134    /* LIBPNG BUG: otherwise libpng still expands to 8 bits! */
7135    else
7136    {
7137       if (that->bit_depth < 8)
7138          that->bit_depth =8;
7139       if (that->sample_depth < 8)
7140          that->sample_depth = 8;
7141    }
7142 #endif
7143 
7144    this->next->mod(this->next, that, pp, display);
7145 }
7146 
7147 static int
image_transform_png_set_tRNS_to_alpha_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)7148 image_transform_png_set_tRNS_to_alpha_add(image_transform *this,
7149     const image_transform **that, png_byte colour_type, png_byte bit_depth)
7150 {
7151    UNUSED(bit_depth)
7152 
7153    this->next = *that;
7154    *that = this;
7155 
7156    /* We don't know yet whether there will be a tRNS chunk, but we know that
7157     * this transformation should do nothing if there already is an alpha
7158     * channel.  In addition, after the bug fix in 1.7.0, there is no longer
7159     * any action on a palette image.
7160     */
7161    return
7162 #  if PNG_LIBPNG_VER >= 10700
7163       colour_type != PNG_COLOR_TYPE_PALETTE &&
7164 #  endif
7165    (colour_type & PNG_COLOR_MASK_ALPHA) == 0;
7166 }
7167 
7168 IT(tRNS_to_alpha);
7169 #undef PT
7170 #define PT ITSTRUCT(tRNS_to_alpha)
7171 #endif /* PNG_READ_EXPAND_SUPPORTED */
7172 
7173 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
7174 /* png_set_gray_to_rgb */
7175 static void
image_transform_png_set_gray_to_rgb_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)7176 image_transform_png_set_gray_to_rgb_set(const image_transform *this,
7177     transform_display *that, png_structp pp, png_infop pi)
7178 {
7179    png_set_gray_to_rgb(pp);
7180    /* NOTE: this doesn't result in tRNS expansion. */
7181    this->next->set(this->next, that, pp, pi);
7182 }
7183 
7184 static void
image_transform_png_set_gray_to_rgb_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)7185 image_transform_png_set_gray_to_rgb_mod(const image_transform *this,
7186     image_pixel *that, png_const_structp pp,
7187     const transform_display *display)
7188 {
7189    /* NOTE: we can actually pend the tRNS processing at this point because we
7190     * can correctly recognize the original pixel value even though we have
7191     * mapped the one gray channel to the three RGB ones, but in fact libpng
7192     * doesn't do this, so we don't either.
7193     */
7194    if ((that->colour_type & PNG_COLOR_MASK_COLOR) == 0 && that->have_tRNS)
7195       image_pixel_add_alpha(that, &display->this, 0/*!for background*/);
7196 
7197    /* Simply expand the bit depth and alter the colour type as required. */
7198    if (that->colour_type == PNG_COLOR_TYPE_GRAY)
7199    {
7200       /* RGB images have a bit depth at least equal to '8' */
7201       if (that->bit_depth < 8)
7202          that->sample_depth = that->bit_depth = 8;
7203 
7204       /* And just changing the colour type works here because the green and blue
7205        * channels are being maintained in lock-step with the red/gray:
7206        */
7207       that->colour_type = PNG_COLOR_TYPE_RGB;
7208    }
7209 
7210    else if (that->colour_type == PNG_COLOR_TYPE_GRAY_ALPHA)
7211       that->colour_type = PNG_COLOR_TYPE_RGB_ALPHA;
7212 
7213    this->next->mod(this->next, that, pp, display);
7214 }
7215 
7216 static int
image_transform_png_set_gray_to_rgb_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)7217 image_transform_png_set_gray_to_rgb_add(image_transform *this,
7218     const image_transform **that, png_byte colour_type, png_byte bit_depth)
7219 {
7220    UNUSED(bit_depth)
7221 
7222    this->next = *that;
7223    *that = this;
7224 
7225    return (colour_type & PNG_COLOR_MASK_COLOR) == 0;
7226 }
7227 
7228 IT(gray_to_rgb);
7229 #undef PT
7230 #define PT ITSTRUCT(gray_to_rgb)
7231 #endif /* PNG_READ_GRAY_TO_RGB_SUPPORTED */
7232 
7233 #ifdef PNG_READ_EXPAND_SUPPORTED
7234 /* png_set_expand */
7235 static void
image_transform_png_set_expand_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)7236 image_transform_png_set_expand_set(const image_transform *this,
7237     transform_display *that, png_structp pp, png_infop pi)
7238 {
7239    png_set_expand(pp);
7240 
7241    if (that->this.has_tRNS)
7242       that->this.is_transparent = 1;
7243 
7244    this->next->set(this->next, that, pp, pi);
7245 }
7246 
7247 static void
image_transform_png_set_expand_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)7248 image_transform_png_set_expand_mod(const image_transform *this,
7249     image_pixel *that, png_const_structp pp,
7250     const transform_display *display)
7251 {
7252    /* The general expand case depends on what the colour type is: */
7253    if (that->colour_type == PNG_COLOR_TYPE_PALETTE)
7254       image_pixel_convert_PLTE(that);
7255    else if (that->bit_depth < 8) /* grayscale */
7256       that->sample_depth = that->bit_depth = 8;
7257 
7258    if (that->have_tRNS)
7259       image_pixel_add_alpha(that, &display->this, 0/*!for background*/);
7260 
7261    this->next->mod(this->next, that, pp, display);
7262 }
7263 
7264 static int
image_transform_png_set_expand_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)7265 image_transform_png_set_expand_add(image_transform *this,
7266     const image_transform **that, png_byte colour_type, png_byte bit_depth)
7267 {
7268    UNUSED(bit_depth)
7269 
7270    this->next = *that;
7271    *that = this;
7272 
7273    /* 'expand' should do nothing for RGBA or GA input - no tRNS and the bit
7274     * depth is at least 8 already.
7275     */
7276    return (colour_type & PNG_COLOR_MASK_ALPHA) == 0;
7277 }
7278 
7279 IT(expand);
7280 #undef PT
7281 #define PT ITSTRUCT(expand)
7282 #endif /* PNG_READ_EXPAND_SUPPORTED */
7283 
7284 #ifdef PNG_READ_EXPAND_SUPPORTED
7285 /* png_set_expand_gray_1_2_4_to_8
7286  * Pre 1.7.0 LIBPNG BUG: this just does an 'expand'
7287  */
7288 static void
image_transform_png_set_expand_gray_1_2_4_to_8_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)7289 image_transform_png_set_expand_gray_1_2_4_to_8_set(
7290     const image_transform *this, transform_display *that, png_structp pp,
7291     png_infop pi)
7292 {
7293    png_set_expand_gray_1_2_4_to_8(pp);
7294    /* NOTE: don't expect this to expand tRNS */
7295    this->next->set(this->next, that, pp, pi);
7296 }
7297 
7298 static void
image_transform_png_set_expand_gray_1_2_4_to_8_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)7299 image_transform_png_set_expand_gray_1_2_4_to_8_mod(
7300     const image_transform *this, image_pixel *that, png_const_structp pp,
7301     const transform_display *display)
7302 {
7303 #if PNG_LIBPNG_VER < 10700
7304    image_transform_png_set_expand_mod(this, that, pp, display);
7305 #else
7306    /* Only expand grayscale of bit depth less than 8: */
7307    if (that->colour_type == PNG_COLOR_TYPE_GRAY &&
7308        that->bit_depth < 8)
7309       that->sample_depth = that->bit_depth = 8;
7310 
7311    this->next->mod(this->next, that, pp, display);
7312 #endif /* 1.7 or later */
7313 }
7314 
7315 static int
image_transform_png_set_expand_gray_1_2_4_to_8_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)7316 image_transform_png_set_expand_gray_1_2_4_to_8_add(image_transform *this,
7317     const image_transform **that, png_byte colour_type, png_byte bit_depth)
7318 {
7319 #if PNG_LIBPNG_VER < 10700
7320    return image_transform_png_set_expand_add(this, that, colour_type,
7321       bit_depth);
7322 #else
7323    UNUSED(bit_depth)
7324 
7325    this->next = *that;
7326    *that = this;
7327 
7328    /* This should do nothing unless the color type is gray and the bit depth is
7329     * less than 8:
7330     */
7331    return colour_type == PNG_COLOR_TYPE_GRAY && bit_depth < 8;
7332 #endif /* 1.7 or later */
7333 }
7334 
7335 IT(expand_gray_1_2_4_to_8);
7336 #undef PT
7337 #define PT ITSTRUCT(expand_gray_1_2_4_to_8)
7338 #endif /* PNG_READ_EXPAND_SUPPORTED */
7339 
7340 #ifdef PNG_READ_EXPAND_16_SUPPORTED
7341 /* png_set_expand_16 */
7342 static void
image_transform_png_set_expand_16_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)7343 image_transform_png_set_expand_16_set(const image_transform *this,
7344     transform_display *that, png_structp pp, png_infop pi)
7345 {
7346    png_set_expand_16(pp);
7347 
7348    /* NOTE: prior to 1.7 libpng does SET_EXPAND as well, so tRNS is expanded. */
7349 #  if PNG_LIBPNG_VER < 10700
7350       if (that->this.has_tRNS)
7351          that->this.is_transparent = 1;
7352 #  endif
7353 
7354    this->next->set(this->next, that, pp, pi);
7355 }
7356 
7357 static void
image_transform_png_set_expand_16_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)7358 image_transform_png_set_expand_16_mod(const image_transform *this,
7359     image_pixel *that, png_const_structp pp,
7360     const transform_display *display)
7361 {
7362    /* Expect expand_16 to expand everything to 16 bits as a result of also
7363     * causing 'expand' to happen.
7364     */
7365    if (that->colour_type == PNG_COLOR_TYPE_PALETTE)
7366       image_pixel_convert_PLTE(that);
7367 
7368    if (that->have_tRNS)
7369       image_pixel_add_alpha(that, &display->this, 0/*!for background*/);
7370 
7371    if (that->bit_depth < 16)
7372       that->sample_depth = that->bit_depth = 16;
7373 
7374    this->next->mod(this->next, that, pp, display);
7375 }
7376 
7377 static int
image_transform_png_set_expand_16_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)7378 image_transform_png_set_expand_16_add(image_transform *this,
7379     const image_transform **that, png_byte colour_type, png_byte bit_depth)
7380 {
7381    UNUSED(colour_type)
7382 
7383    this->next = *that;
7384    *that = this;
7385 
7386    /* expand_16 does something unless the bit depth is already 16. */
7387    return bit_depth < 16;
7388 }
7389 
7390 IT(expand_16);
7391 #undef PT
7392 #define PT ITSTRUCT(expand_16)
7393 #endif /* PNG_READ_EXPAND_16_SUPPORTED */
7394 
7395 #ifdef PNG_READ_SCALE_16_TO_8_SUPPORTED  /* API added in 1.5.4 */
7396 /* png_set_scale_16 */
7397 static void
image_transform_png_set_scale_16_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)7398 image_transform_png_set_scale_16_set(const image_transform *this,
7399     transform_display *that, png_structp pp, png_infop pi)
7400 {
7401    png_set_scale_16(pp);
7402 #  if PNG_LIBPNG_VER < 10700
7403       /* libpng will limit the gamma table size: */
7404       that->max_gamma_8 = PNG_MAX_GAMMA_8;
7405 #  endif
7406    this->next->set(this->next, that, pp, pi);
7407 }
7408 
7409 static void
image_transform_png_set_scale_16_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)7410 image_transform_png_set_scale_16_mod(const image_transform *this,
7411     image_pixel *that, png_const_structp pp,
7412     const transform_display *display)
7413 {
7414    if (that->bit_depth == 16)
7415    {
7416       that->sample_depth = that->bit_depth = 8;
7417       if (that->red_sBIT > 8) that->red_sBIT = 8;
7418       if (that->green_sBIT > 8) that->green_sBIT = 8;
7419       if (that->blue_sBIT > 8) that->blue_sBIT = 8;
7420       if (that->alpha_sBIT > 8) that->alpha_sBIT = 8;
7421    }
7422 
7423    this->next->mod(this->next, that, pp, display);
7424 }
7425 
7426 static int
image_transform_png_set_scale_16_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)7427 image_transform_png_set_scale_16_add(image_transform *this,
7428     const image_transform **that, png_byte colour_type, png_byte bit_depth)
7429 {
7430    UNUSED(colour_type)
7431 
7432    this->next = *that;
7433    *that = this;
7434 
7435    return bit_depth > 8;
7436 }
7437 
7438 IT(scale_16);
7439 #undef PT
7440 #define PT ITSTRUCT(scale_16)
7441 #endif /* PNG_READ_SCALE_16_TO_8_SUPPORTED (1.5.4 on) */
7442 
7443 #ifdef PNG_READ_16_TO_8_SUPPORTED /* the default before 1.5.4 */
7444 /* png_set_strip_16 */
7445 static void
image_transform_png_set_strip_16_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)7446 image_transform_png_set_strip_16_set(const image_transform *this,
7447     transform_display *that, png_structp pp, png_infop pi)
7448 {
7449    png_set_strip_16(pp);
7450 #  if PNG_LIBPNG_VER < 10700
7451       /* libpng will limit the gamma table size: */
7452       that->max_gamma_8 = PNG_MAX_GAMMA_8;
7453 #  endif
7454    this->next->set(this->next, that, pp, pi);
7455 }
7456 
7457 static void
image_transform_png_set_strip_16_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)7458 image_transform_png_set_strip_16_mod(const image_transform *this,
7459     image_pixel *that, png_const_structp pp,
7460     const transform_display *display)
7461 {
7462    if (that->bit_depth == 16)
7463    {
7464       that->sample_depth = that->bit_depth = 8;
7465       if (that->red_sBIT > 8) that->red_sBIT = 8;
7466       if (that->green_sBIT > 8) that->green_sBIT = 8;
7467       if (that->blue_sBIT > 8) that->blue_sBIT = 8;
7468       if (that->alpha_sBIT > 8) that->alpha_sBIT = 8;
7469 
7470       /* Prior to 1.5.4 png_set_strip_16 would use an 'accurate' method if this
7471        * configuration option is set.  From 1.5.4 the flag is never set and the
7472        * 'scale' API (above) must be used.
7473        */
7474 #     ifdef PNG_READ_ACCURATE_SCALE_SUPPORTED
7475 #        if PNG_LIBPNG_VER >= 10504
7476 #           error PNG_READ_ACCURATE_SCALE should not be set
7477 #        endif
7478 
7479          /* The strip 16 algorithm drops the low 8 bits rather than calculating
7480           * 1/257, so we need to adjust the permitted errors appropriately:
7481           * Notice that this is only relevant prior to the addition of the
7482           * png_set_scale_16 API in 1.5.4 (but 1.5.4+ always defines the above!)
7483           */
7484          {
7485             const double d = (255-128.5)/65535;
7486             that->rede += d;
7487             that->greene += d;
7488             that->bluee += d;
7489             that->alphae += d;
7490          }
7491 #     endif
7492    }
7493 
7494    this->next->mod(this->next, that, pp, display);
7495 }
7496 
7497 static int
image_transform_png_set_strip_16_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)7498 image_transform_png_set_strip_16_add(image_transform *this,
7499     const image_transform **that, png_byte colour_type, png_byte bit_depth)
7500 {
7501    UNUSED(colour_type)
7502 
7503    this->next = *that;
7504    *that = this;
7505 
7506    return bit_depth > 8;
7507 }
7508 
7509 IT(strip_16);
7510 #undef PT
7511 #define PT ITSTRUCT(strip_16)
7512 #endif /* PNG_READ_16_TO_8_SUPPORTED */
7513 
7514 #ifdef PNG_READ_STRIP_ALPHA_SUPPORTED
7515 /* png_set_strip_alpha */
7516 static void
image_transform_png_set_strip_alpha_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)7517 image_transform_png_set_strip_alpha_set(const image_transform *this,
7518     transform_display *that, png_structp pp, png_infop pi)
7519 {
7520    png_set_strip_alpha(pp);
7521    this->next->set(this->next, that, pp, pi);
7522 }
7523 
7524 static void
image_transform_png_set_strip_alpha_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)7525 image_transform_png_set_strip_alpha_mod(const image_transform *this,
7526     image_pixel *that, png_const_structp pp,
7527     const transform_display *display)
7528 {
7529    if (that->colour_type == PNG_COLOR_TYPE_GRAY_ALPHA)
7530       that->colour_type = PNG_COLOR_TYPE_GRAY;
7531    else if (that->colour_type == PNG_COLOR_TYPE_RGB_ALPHA)
7532       that->colour_type = PNG_COLOR_TYPE_RGB;
7533 
7534    that->have_tRNS = 0;
7535    that->alphaf = 1;
7536 
7537    this->next->mod(this->next, that, pp, display);
7538 }
7539 
7540 static int
image_transform_png_set_strip_alpha_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)7541 image_transform_png_set_strip_alpha_add(image_transform *this,
7542     const image_transform **that, png_byte colour_type, png_byte bit_depth)
7543 {
7544    UNUSED(bit_depth)
7545 
7546    this->next = *that;
7547    *that = this;
7548 
7549    return (colour_type & PNG_COLOR_MASK_ALPHA) != 0;
7550 }
7551 
7552 IT(strip_alpha);
7553 #undef PT
7554 #define PT ITSTRUCT(strip_alpha)
7555 #endif /* PNG_READ_STRIP_ALPHA_SUPPORTED */
7556 
7557 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
7558 /* png_set_rgb_to_gray(png_structp, int err_action, double red, double green)
7559  * png_set_rgb_to_gray_fixed(png_structp, int err_action, png_fixed_point red,
7560  *    png_fixed_point green)
7561  * png_get_rgb_to_gray_status
7562  *
7563  * The 'default' test here uses values known to be used inside libpng prior to
7564  * 1.7.0:
7565  *
7566  *   red:    6968
7567  *   green: 23434
7568  *   blue:   2366
7569  *
7570  * These values are being retained for compatibility, along with the somewhat
7571  * broken truncation calculation in the fast-and-inaccurate code path.  Older
7572  * versions of libpng will fail the accuracy tests below because they use the
7573  * truncation algorithm everywhere.
7574  */
7575 #define data ITDATA(rgb_to_gray)
7576 static struct
7577 {
7578    double gamma;      /* File gamma to use in processing */
7579 
7580    /* The following are the parameters for png_set_rgb_to_gray: */
7581 #  ifdef PNG_FLOATING_POINT_SUPPORTED
7582       double red_to_set;
7583       double green_to_set;
7584 #  else
7585       png_fixed_point red_to_set;
7586       png_fixed_point green_to_set;
7587 #  endif
7588 
7589    /* The actual coefficients: */
7590    double red_coefficient;
7591    double green_coefficient;
7592    double blue_coefficient;
7593 
7594    /* Set if the coeefficients have been overridden. */
7595    int coefficients_overridden;
7596 } data;
7597 
7598 #undef image_transform_ini
7599 #define image_transform_ini image_transform_png_set_rgb_to_gray_ini
7600 static void
image_transform_png_set_rgb_to_gray_ini(const image_transform * this,transform_display * that)7601 image_transform_png_set_rgb_to_gray_ini(const image_transform *this,
7602     transform_display *that)
7603 {
7604    png_modifier *pm = that->pm;
7605    const color_encoding *e = pm->current_encoding;
7606 
7607    UNUSED(this)
7608 
7609    /* Since we check the encoding this flag must be set: */
7610    pm->test_uses_encoding = 1;
7611 
7612    /* If 'e' is not NULL chromaticity information is present and either a cHRM
7613     * or an sRGB chunk will be inserted.
7614     */
7615    if (e != 0)
7616    {
7617       /* Coefficients come from the encoding, but may need to be normalized to a
7618        * white point Y of 1.0
7619        */
7620       const double whiteY = e->red.Y + e->green.Y + e->blue.Y;
7621 
7622       data.red_coefficient = e->red.Y;
7623       data.green_coefficient = e->green.Y;
7624       data.blue_coefficient = e->blue.Y;
7625 
7626       if (whiteY != 1)
7627       {
7628          data.red_coefficient /= whiteY;
7629          data.green_coefficient /= whiteY;
7630          data.blue_coefficient /= whiteY;
7631       }
7632    }
7633 
7634    else
7635    {
7636       /* The default (built in) coeffcients, as above: */
7637 #     if PNG_LIBPNG_VER < 10700
7638          data.red_coefficient = 6968 / 32768.;
7639          data.green_coefficient = 23434 / 32768.;
7640          data.blue_coefficient = 2366 / 32768.;
7641 #     else
7642          data.red_coefficient = .2126;
7643          data.green_coefficient = .7152;
7644          data.blue_coefficient = .0722;
7645 #     endif
7646    }
7647 
7648    data.gamma = pm->current_gamma;
7649 
7650    /* If not set then the calculations assume linear encoding (implicitly): */
7651    if (data.gamma == 0)
7652       data.gamma = 1;
7653 
7654    /* The arguments to png_set_rgb_to_gray can override the coefficients implied
7655     * by the color space encoding.  If doing exhaustive checks do the override
7656     * in each case, otherwise do it randomly.
7657     */
7658    if (pm->test_exhaustive)
7659    {
7660       /* First time in coefficients_overridden is 0, the following sets it to 1,
7661        * so repeat if it is set.  If a test fails this may mean we subsequently
7662        * skip a non-override test, ignore that.
7663        */
7664       data.coefficients_overridden = !data.coefficients_overridden;
7665       pm->repeat = data.coefficients_overridden != 0;
7666    }
7667 
7668    else
7669       data.coefficients_overridden = random_choice();
7670 
7671    if (data.coefficients_overridden)
7672    {
7673       /* These values override the color encoding defaults, simply use random
7674        * numbers.
7675        */
7676       png_uint_32 ru;
7677       double total;
7678 
7679       ru = random_u32();
7680       data.green_coefficient = total = (ru & 0xffff) / 65535.;
7681       ru >>= 16;
7682       data.red_coefficient = (1 - total) * (ru & 0xffff) / 65535.;
7683       total += data.red_coefficient;
7684       data.blue_coefficient = 1 - total;
7685 
7686 #     ifdef PNG_FLOATING_POINT_SUPPORTED
7687          data.red_to_set = data.red_coefficient;
7688          data.green_to_set = data.green_coefficient;
7689 #     else
7690          data.red_to_set = fix(data.red_coefficient);
7691          data.green_to_set = fix(data.green_coefficient);
7692 #     endif
7693 
7694       /* The following just changes the error messages: */
7695       pm->encoding_ignored = 1;
7696    }
7697 
7698    else
7699    {
7700       data.red_to_set = -1;
7701       data.green_to_set = -1;
7702    }
7703 
7704    /* Adjust the error limit in the png_modifier because of the larger errors
7705     * produced in the digitization during the gamma handling.
7706     */
7707    if (data.gamma != 1) /* Use gamma tables */
7708    {
7709       if (that->this.bit_depth == 16 || pm->assume_16_bit_calculations)
7710       {
7711          /* The computations have the form:
7712           *
7713           *    r * rc + g * gc + b * bc
7714           *
7715           *  Each component of which is +/-1/65535 from the gamma_to_1 table
7716           *  lookup, resulting in a base error of +/-6.  The gamma_from_1
7717           *  conversion adds another +/-2 in the 16-bit case and
7718           *  +/-(1<<(15-PNG_MAX_GAMMA_8)) in the 8-bit case.
7719           */
7720 #        if PNG_LIBPNG_VER < 10700
7721             if (that->this.bit_depth < 16)
7722                that->max_gamma_8 = PNG_MAX_GAMMA_8;
7723 #        endif
7724          that->pm->limit += pow(
7725             (that->this.bit_depth == 16 || that->max_gamma_8 > 14 ?
7726                8. :
7727                6. + (1<<(15-that->max_gamma_8))
7728             )/65535, data.gamma);
7729       }
7730 
7731       else
7732       {
7733          /* Rounding to 8 bits in the linear space causes massive errors which
7734           * will trigger the error check in transform_range_check.  Fix that
7735           * here by taking the gamma encoding into account.
7736           *
7737           * When DIGITIZE is set because a pre-1.7 version of libpng is being
7738           * tested allow a bigger slack.
7739           *
7740           * NOTE: this number only affects the internal limit check in pngvalid,
7741           * it has no effect on the limits applied to the libpng values.
7742           */
7743          that->pm->limit += pow(
7744 #        if DIGITIZE
7745             2.0
7746 #        else
7747             1.0
7748 #        endif
7749             /255, data.gamma);
7750       }
7751    }
7752 
7753    else
7754    {
7755       /* With no gamma correction a large error comes from the truncation of the
7756        * calculation in the 8 bit case, allow for that here.
7757        */
7758       if (that->this.bit_depth != 16 && !pm->assume_16_bit_calculations)
7759          that->pm->limit += 4E-3;
7760    }
7761 }
7762 
7763 static void
image_transform_png_set_rgb_to_gray_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)7764 image_transform_png_set_rgb_to_gray_set(const image_transform *this,
7765     transform_display *that, png_structp pp, png_infop pi)
7766 {
7767    const int error_action = 1; /* no error, no defines in png.h */
7768 
7769 #  ifdef PNG_FLOATING_POINT_SUPPORTED
7770       png_set_rgb_to_gray(pp, error_action, data.red_to_set, data.green_to_set);
7771 #  else
7772       png_set_rgb_to_gray_fixed(pp, error_action, data.red_to_set,
7773          data.green_to_set);
7774 #  endif
7775 
7776 #  ifdef PNG_READ_cHRM_SUPPORTED
7777       if (that->pm->current_encoding != 0)
7778       {
7779          /* We have an encoding so a cHRM chunk may have been set; if so then
7780           * check that the libpng APIs give the correct (X,Y,Z) values within
7781           * some margin of error for the round trip through the chromaticity
7782           * form.
7783           */
7784 #        ifdef PNG_FLOATING_POINT_SUPPORTED
7785 #           define API_function png_get_cHRM_XYZ
7786 #           define API_form "FP"
7787 #           define API_type double
7788 #           define API_cvt(x) (x)
7789 #        else
7790 #           define API_function png_get_cHRM_XYZ_fixed
7791 #           define API_form "fixed"
7792 #           define API_type png_fixed_point
7793 #           define API_cvt(x) ((double)(x)/PNG_FP_1)
7794 #        endif
7795 
7796          API_type rX, gX, bX;
7797          API_type rY, gY, bY;
7798          API_type rZ, gZ, bZ;
7799 
7800          if ((API_function(pp, pi, &rX, &rY, &rZ, &gX, &gY, &gZ, &bX, &bY, &bZ)
7801                & PNG_INFO_cHRM) != 0)
7802          {
7803             double maxe;
7804             const char *el;
7805             color_encoding e, o;
7806 
7807             /* Expect libpng to return a normalized result, but the original
7808              * color space encoding may not be normalized.
7809              */
7810             modifier_current_encoding(that->pm, &o);
7811             normalize_color_encoding(&o);
7812 
7813             /* Sanity check the pngvalid code - the coefficients should match
7814              * the normalized Y values of the encoding unless they were
7815              * overridden.
7816              */
7817             if (data.red_to_set == -1 && data.green_to_set == -1 &&
7818                (fabs(o.red.Y - data.red_coefficient) > DBL_EPSILON ||
7819                fabs(o.green.Y - data.green_coefficient) > DBL_EPSILON ||
7820                fabs(o.blue.Y - data.blue_coefficient) > DBL_EPSILON))
7821                png_error(pp, "internal pngvalid cHRM coefficient error");
7822 
7823             /* Generate a colour space encoding. */
7824             e.gamma = o.gamma; /* not used */
7825             e.red.X = API_cvt(rX);
7826             e.red.Y = API_cvt(rY);
7827             e.red.Z = API_cvt(rZ);
7828             e.green.X = API_cvt(gX);
7829             e.green.Y = API_cvt(gY);
7830             e.green.Z = API_cvt(gZ);
7831             e.blue.X = API_cvt(bX);
7832             e.blue.Y = API_cvt(bY);
7833             e.blue.Z = API_cvt(bZ);
7834 
7835             /* This should match the original one from the png_modifier, within
7836              * the range permitted by the libpng fixed point representation.
7837              */
7838             maxe = 0;
7839             el = "-"; /* Set to element name with error */
7840 
7841 #           define CHECK(col,x)\
7842             {\
7843                double err = fabs(o.col.x - e.col.x);\
7844                if (err > maxe)\
7845                {\
7846                   maxe = err;\
7847                   el = #col "(" #x ")";\
7848                }\
7849             }
7850 
7851             CHECK(red,X)
7852             CHECK(red,Y)
7853             CHECK(red,Z)
7854             CHECK(green,X)
7855             CHECK(green,Y)
7856             CHECK(green,Z)
7857             CHECK(blue,X)
7858             CHECK(blue,Y)
7859             CHECK(blue,Z)
7860 
7861             /* Here in both fixed and floating cases to check the values read
7862              * from the cHRm chunk.  PNG uses fixed point in the cHRM chunk, so
7863              * we can't expect better than +/-.5E-5 on the result, allow 1E-5.
7864              */
7865             if (maxe >= 1E-5)
7866             {
7867                size_t pos = 0;
7868                char buffer[256];
7869 
7870                pos = safecat(buffer, sizeof buffer, pos, API_form);
7871                pos = safecat(buffer, sizeof buffer, pos, " cHRM ");
7872                pos = safecat(buffer, sizeof buffer, pos, el);
7873                pos = safecat(buffer, sizeof buffer, pos, " error: ");
7874                pos = safecatd(buffer, sizeof buffer, pos, maxe, 7);
7875                pos = safecat(buffer, sizeof buffer, pos, " ");
7876                /* Print the color space without the gamma value: */
7877                pos = safecat_color_encoding(buffer, sizeof buffer, pos, &o, 0);
7878                pos = safecat(buffer, sizeof buffer, pos, " -> ");
7879                pos = safecat_color_encoding(buffer, sizeof buffer, pos, &e, 0);
7880 
7881                png_error(pp, buffer);
7882             }
7883          }
7884       }
7885 #  endif /* READ_cHRM */
7886 
7887    this->next->set(this->next, that, pp, pi);
7888 }
7889 
7890 static void
image_transform_png_set_rgb_to_gray_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)7891 image_transform_png_set_rgb_to_gray_mod(const image_transform *this,
7892     image_pixel *that, png_const_structp pp,
7893     const transform_display *display)
7894 {
7895    if ((that->colour_type & PNG_COLOR_MASK_COLOR) != 0)
7896    {
7897       double gray, err;
7898 
7899 #     if PNG_LIBPNG_VER < 10700
7900          if (that->colour_type == PNG_COLOR_TYPE_PALETTE)
7901             image_pixel_convert_PLTE(that);
7902 #     endif
7903 
7904       /* Image now has RGB channels... */
7905 #  if DIGITIZE
7906       {
7907          png_modifier *pm = display->pm;
7908          const unsigned int sample_depth = that->sample_depth;
7909          const unsigned int calc_depth = (pm->assume_16_bit_calculations ? 16 :
7910             sample_depth);
7911          const unsigned int gamma_depth =
7912             (sample_depth == 16 ?
7913                display->max_gamma_8 :
7914                (pm->assume_16_bit_calculations ?
7915                   display->max_gamma_8 :
7916                   sample_depth));
7917          int isgray;
7918          double r, g, b;
7919          double rlo, rhi, glo, ghi, blo, bhi, graylo, grayhi;
7920 
7921          /* Do this using interval arithmetic, otherwise it is too difficult to
7922           * handle the errors correctly.
7923           *
7924           * To handle the gamma correction work out the upper and lower bounds
7925           * of the digitized value.  Assume rounding here - normally the values
7926           * will be identical after this operation if there is only one
7927           * transform, feel free to delete the png_error checks on this below in
7928           * the future (this is just me trying to ensure it works!)
7929           *
7930           * Interval arithmetic is exact, but to implement it it must be
7931           * possible to control the floating point implementation rounding mode.
7932           * This cannot be done in ANSI-C, so instead I reduce the 'lo' values
7933           * by DBL_EPSILON and increase the 'hi' values by the same.
7934           */
7935 #        define DD(v,d,r) (digitize(v*(1-DBL_EPSILON), d, r) * (1-DBL_EPSILON))
7936 #        define DU(v,d,r) (digitize(v*(1+DBL_EPSILON), d, r) * (1+DBL_EPSILON))
7937 
7938          r = rlo = rhi = that->redf;
7939          rlo -= that->rede;
7940          rlo = DD(rlo, calc_depth, 1/*round*/);
7941          rhi += that->rede;
7942          rhi = DU(rhi, calc_depth, 1/*round*/);
7943 
7944          g = glo = ghi = that->greenf;
7945          glo -= that->greene;
7946          glo = DD(glo, calc_depth, 1/*round*/);
7947          ghi += that->greene;
7948          ghi = DU(ghi, calc_depth, 1/*round*/);
7949 
7950          b = blo = bhi = that->bluef;
7951          blo -= that->bluee;
7952          blo = DD(blo, calc_depth, 1/*round*/);
7953          bhi += that->bluee;
7954          bhi = DU(bhi, calc_depth, 1/*round*/);
7955 
7956          isgray = r==g && g==b;
7957 
7958          if (data.gamma != 1)
7959          {
7960             const double power = 1/data.gamma;
7961             const double abse = .5/(sample_depth == 16 ? 65535 : 255);
7962 
7963             /* If a gamma calculation is done it is done using lookup tables of
7964              * precision gamma_depth, so the already digitized value above may
7965              * need to be further digitized here.
7966              */
7967             if (gamma_depth != calc_depth)
7968             {
7969                rlo = DD(rlo, gamma_depth, 0/*truncate*/);
7970                rhi = DU(rhi, gamma_depth, 0/*truncate*/);
7971                glo = DD(glo, gamma_depth, 0/*truncate*/);
7972                ghi = DU(ghi, gamma_depth, 0/*truncate*/);
7973                blo = DD(blo, gamma_depth, 0/*truncate*/);
7974                bhi = DU(bhi, gamma_depth, 0/*truncate*/);
7975             }
7976 
7977             /* 'abse' is the error in the gamma table calculation itself. */
7978             r = pow(r, power);
7979             rlo = DD(pow(rlo, power)-abse, calc_depth, 1);
7980             rhi = DU(pow(rhi, power)+abse, calc_depth, 1);
7981 
7982             g = pow(g, power);
7983             glo = DD(pow(glo, power)-abse, calc_depth, 1);
7984             ghi = DU(pow(ghi, power)+abse, calc_depth, 1);
7985 
7986             b = pow(b, power);
7987             blo = DD(pow(blo, power)-abse, calc_depth, 1);
7988             bhi = DU(pow(bhi, power)+abse, calc_depth, 1);
7989          }
7990 
7991          /* Now calculate the actual gray values.  Although the error in the
7992           * coefficients depends on whether they were specified on the command
7993           * line (in which case truncation to 15 bits happened) or not (rounding
7994           * was used) the maxium error in an individual coefficient is always
7995           * 2/32768, because even in the rounding case the requirement that
7996           * coefficients add up to 32768 can cause a larger rounding error.
7997           *
7998           * The only time when rounding doesn't occur in 1.5.5 and later is when
7999           * the non-gamma code path is used for less than 16 bit data.
8000           */
8001          gray = r * data.red_coefficient + g * data.green_coefficient +
8002             b * data.blue_coefficient;
8003 
8004          {
8005             const int do_round = data.gamma != 1 || calc_depth == 16;
8006             const double ce = 2. / 32768;
8007 
8008             graylo = DD(rlo * (data.red_coefficient-ce) +
8009                glo * (data.green_coefficient-ce) +
8010                blo * (data.blue_coefficient-ce), calc_depth, do_round);
8011             if (graylo > gray) /* always accept the right answer */
8012                graylo = gray;
8013 
8014             grayhi = DU(rhi * (data.red_coefficient+ce) +
8015                ghi * (data.green_coefficient+ce) +
8016                bhi * (data.blue_coefficient+ce), calc_depth, do_round);
8017             if (grayhi < gray)
8018                grayhi = gray;
8019          }
8020 
8021          /* And invert the gamma. */
8022          if (data.gamma != 1)
8023          {
8024             const double power = data.gamma;
8025 
8026             /* And this happens yet again, shifting the values once more. */
8027             if (gamma_depth != sample_depth)
8028             {
8029                rlo = DD(rlo, gamma_depth, 0/*truncate*/);
8030                rhi = DU(rhi, gamma_depth, 0/*truncate*/);
8031                glo = DD(glo, gamma_depth, 0/*truncate*/);
8032                ghi = DU(ghi, gamma_depth, 0/*truncate*/);
8033                blo = DD(blo, gamma_depth, 0/*truncate*/);
8034                bhi = DU(bhi, gamma_depth, 0/*truncate*/);
8035             }
8036 
8037             gray = pow(gray, power);
8038             graylo = DD(pow(graylo, power), sample_depth, 1);
8039             grayhi = DU(pow(grayhi, power), sample_depth, 1);
8040          }
8041 
8042 #        undef DD
8043 #        undef DU
8044 
8045          /* Now the error can be calculated.
8046           *
8047           * If r==g==b because there is no overall gamma correction libpng
8048           * currently preserves the original value.
8049           */
8050          if (isgray)
8051             err = (that->rede + that->greene + that->bluee)/3;
8052 
8053          else
8054          {
8055             err = fabs(grayhi-gray);
8056 
8057             if (fabs(gray - graylo) > err)
8058                err = fabs(graylo-gray);
8059 
8060 #if !RELEASE_BUILD
8061             /* Check that this worked: */
8062             if (err > pm->limit)
8063             {
8064                size_t pos = 0;
8065                char buffer[128];
8066 
8067                pos = safecat(buffer, sizeof buffer, pos, "rgb_to_gray error ");
8068                pos = safecatd(buffer, sizeof buffer, pos, err, 6);
8069                pos = safecat(buffer, sizeof buffer, pos, " exceeds limit ");
8070                pos = safecatd(buffer, sizeof buffer, pos, pm->limit, 6);
8071                png_warning(pp, buffer);
8072                pm->limit = err;
8073             }
8074 #endif /* !RELEASE_BUILD */
8075          }
8076       }
8077 #  else  /* !DIGITIZE */
8078       {
8079          double r = that->redf;
8080          double re = that->rede;
8081          double g = that->greenf;
8082          double ge = that->greene;
8083          double b = that->bluef;
8084          double be = that->bluee;
8085 
8086 #        if PNG_LIBPNG_VER < 10700
8087             /* The true gray case involves no math in earlier versions (not
8088              * true, there was some if gamma correction was happening too.)
8089              */
8090             if (r == g && r == b)
8091             {
8092                gray = r;
8093                err = re;
8094                if (err < ge) err = ge;
8095                if (err < be) err = be;
8096             }
8097 
8098             else
8099 #        endif /* before 1.7 */
8100          if (data.gamma == 1)
8101          {
8102             /* There is no need to do the conversions to and from linear space,
8103              * so the calculation should be a lot more accurate.  There is a
8104              * built in error in the coefficients because they only have 15 bits
8105              * and are adjusted to make sure they add up to 32768.  This
8106              * involves a integer calculation with truncation of the form:
8107              *
8108              *     ((int)(coefficient * 100000) * 32768)/100000
8109              *
8110              * This is done to the red and green coefficients (the ones
8111              * provided to the API) then blue is calculated from them so the
8112              * result adds up to 32768.  In the worst case this can result in
8113              * a -1 error in red and green and a +2 error in blue.  Consequently
8114              * the worst case in the calculation below is 2/32768 error.
8115              *
8116              * TODO: consider fixing this in libpng by rounding the calculation
8117              * limiting the error to 1/32768.
8118              *
8119              * Handling this by adding 2/32768 here avoids needing to increase
8120              * the global error limits to take this into account.)
8121              */
8122             gray = r * data.red_coefficient + g * data.green_coefficient +
8123                b * data.blue_coefficient;
8124             err = re * data.red_coefficient + ge * data.green_coefficient +
8125                be * data.blue_coefficient + 2./32768 + gray * 5 * DBL_EPSILON;
8126          }
8127 
8128          else
8129          {
8130             /* The calculation happens in linear space, and this produces much
8131              * wider errors in the encoded space.  These are handled here by
8132              * factoring the errors in to the calculation.  There are two table
8133              * lookups in the calculation and each introduces a quantization
8134              * error defined by the table size.
8135              */
8136             png_modifier *pm = display->pm;
8137             double in_qe = (that->sample_depth > 8 ? .5/65535 : .5/255);
8138             double out_qe = (that->sample_depth > 8 ? .5/65535 :
8139                (pm->assume_16_bit_calculations ? .5/(1<<display->max_gamma_8) :
8140                .5/255));
8141             double rhi, ghi, bhi, grayhi;
8142             double g1 = 1/data.gamma;
8143 
8144             rhi = r + re + in_qe; if (rhi > 1) rhi = 1;
8145             r -= re + in_qe; if (r < 0) r = 0;
8146             ghi = g + ge + in_qe; if (ghi > 1) ghi = 1;
8147             g -= ge + in_qe; if (g < 0) g = 0;
8148             bhi = b + be + in_qe; if (bhi > 1) bhi = 1;
8149             b -= be + in_qe; if (b < 0) b = 0;
8150 
8151             r = pow(r, g1)*(1-DBL_EPSILON); rhi = pow(rhi, g1)*(1+DBL_EPSILON);
8152             g = pow(g, g1)*(1-DBL_EPSILON); ghi = pow(ghi, g1)*(1+DBL_EPSILON);
8153             b = pow(b, g1)*(1-DBL_EPSILON); bhi = pow(bhi, g1)*(1+DBL_EPSILON);
8154 
8155             /* Work out the lower and upper bounds for the gray value in the
8156              * encoded space, then work out an average and error.  Remove the
8157              * previously added input quantization error at this point.
8158              */
8159             gray = r * data.red_coefficient + g * data.green_coefficient +
8160                b * data.blue_coefficient - 2./32768 - out_qe;
8161             if (gray <= 0)
8162                gray = 0;
8163             else
8164             {
8165                gray *= (1 - 6 * DBL_EPSILON);
8166                gray = pow(gray, data.gamma) * (1-DBL_EPSILON);
8167             }
8168 
8169             grayhi = rhi * data.red_coefficient + ghi * data.green_coefficient +
8170                bhi * data.blue_coefficient + 2./32768 + out_qe;
8171             grayhi *= (1 + 6 * DBL_EPSILON);
8172             if (grayhi >= 1)
8173                grayhi = 1;
8174             else
8175                grayhi = pow(grayhi, data.gamma) * (1+DBL_EPSILON);
8176 
8177             err = (grayhi - gray) / 2;
8178             gray = (grayhi + gray) / 2;
8179 
8180             if (err <= in_qe)
8181                err = gray * DBL_EPSILON;
8182 
8183             else
8184                err -= in_qe;
8185 
8186 #if !RELEASE_BUILD
8187             /* Validate that the error is within limits (this has caused
8188              * problems before, it's much easier to detect them here.)
8189              */
8190             if (err > pm->limit)
8191             {
8192                size_t pos = 0;
8193                char buffer[128];
8194 
8195                pos = safecat(buffer, sizeof buffer, pos, "rgb_to_gray error ");
8196                pos = safecatd(buffer, sizeof buffer, pos, err, 6);
8197                pos = safecat(buffer, sizeof buffer, pos, " exceeds limit ");
8198                pos = safecatd(buffer, sizeof buffer, pos, pm->limit, 6);
8199                png_warning(pp, buffer);
8200                pm->limit = err;
8201             }
8202 #endif /* !RELEASE_BUILD */
8203          }
8204       }
8205 #  endif /* !DIGITIZE */
8206 
8207       that->bluef = that->greenf = that->redf = gray;
8208       that->bluee = that->greene = that->rede = err;
8209 
8210       /* The sBIT is the minium of the three colour channel sBITs. */
8211       if (that->red_sBIT > that->green_sBIT)
8212          that->red_sBIT = that->green_sBIT;
8213       if (that->red_sBIT > that->blue_sBIT)
8214          that->red_sBIT = that->blue_sBIT;
8215       that->blue_sBIT = that->green_sBIT = that->red_sBIT;
8216 
8217       /* And remove the colour bit in the type: */
8218       if (that->colour_type == PNG_COLOR_TYPE_RGB)
8219          that->colour_type = PNG_COLOR_TYPE_GRAY;
8220       else if (that->colour_type == PNG_COLOR_TYPE_RGB_ALPHA)
8221          that->colour_type = PNG_COLOR_TYPE_GRAY_ALPHA;
8222    }
8223 
8224    this->next->mod(this->next, that, pp, display);
8225 }
8226 
8227 static int
image_transform_png_set_rgb_to_gray_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8228 image_transform_png_set_rgb_to_gray_add(image_transform *this,
8229     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8230 {
8231    UNUSED(bit_depth)
8232 
8233    this->next = *that;
8234    *that = this;
8235 
8236    return (colour_type & PNG_COLOR_MASK_COLOR) != 0;
8237 }
8238 
8239 #undef data
8240 IT(rgb_to_gray);
8241 #undef PT
8242 #define PT ITSTRUCT(rgb_to_gray)
8243 #undef image_transform_ini
8244 #define image_transform_ini image_transform_default_ini
8245 #endif /* PNG_READ_RGB_TO_GRAY_SUPPORTED */
8246 
8247 #ifdef PNG_READ_BACKGROUND_SUPPORTED
8248 /* png_set_background(png_structp, png_const_color_16p background_color,
8249  *    int background_gamma_code, int need_expand, double background_gamma)
8250  * png_set_background_fixed(png_structp, png_const_color_16p background_color,
8251  *    int background_gamma_code, int need_expand,
8252  *    png_fixed_point background_gamma)
8253  *
8254  * This ignores the gamma (at present.)
8255 */
8256 #define data ITDATA(background)
8257 static image_pixel data;
8258 
8259 static void
image_transform_png_set_background_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8260 image_transform_png_set_background_set(const image_transform *this,
8261     transform_display *that, png_structp pp, png_infop pi)
8262 {
8263    png_byte colour_type, bit_depth;
8264    png_byte random_bytes[8]; /* 8 bytes - 64 bits - the biggest pixel */
8265    int expand;
8266    png_color_16 back;
8267 
8268    /* We need a background colour, because we don't know exactly what transforms
8269     * have been set we have to supply the colour in the original file format and
8270     * so we need to know what that is!  The background colour is stored in the
8271     * transform_display.
8272     */
8273    R8(random_bytes);
8274 
8275    /* Read the random value, for colour type 3 the background colour is actually
8276     * expressed as a 24bit rgb, not an index.
8277     */
8278    colour_type = that->this.colour_type;
8279    if (colour_type == 3)
8280    {
8281       colour_type = PNG_COLOR_TYPE_RGB;
8282       bit_depth = 8;
8283       expand = 0; /* passing in an RGB not a pixel index */
8284    }
8285 
8286    else
8287    {
8288       if (that->this.has_tRNS)
8289          that->this.is_transparent = 1;
8290 
8291       bit_depth = that->this.bit_depth;
8292       expand = 1;
8293    }
8294 
8295    image_pixel_init(&data, random_bytes, colour_type,
8296       bit_depth, 0/*x*/, 0/*unused: palette*/, NULL/*format*/);
8297 
8298    /* Extract the background colour from this image_pixel, but make sure the
8299     * unused fields of 'back' are garbage.
8300     */
8301    R8(back);
8302 
8303    if (colour_type & PNG_COLOR_MASK_COLOR)
8304    {
8305       back.red = (png_uint_16)data.red;
8306       back.green = (png_uint_16)data.green;
8307       back.blue = (png_uint_16)data.blue;
8308    }
8309 
8310    else
8311       back.gray = (png_uint_16)data.red;
8312 
8313 #ifdef PNG_FLOATING_POINT_SUPPORTED
8314    png_set_background(pp, &back, PNG_BACKGROUND_GAMMA_FILE, expand, 0);
8315 #else
8316    png_set_background_fixed(pp, &back, PNG_BACKGROUND_GAMMA_FILE, expand, 0);
8317 #endif
8318 
8319    this->next->set(this->next, that, pp, pi);
8320 }
8321 
8322 static void
image_transform_png_set_background_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8323 image_transform_png_set_background_mod(const image_transform *this,
8324     image_pixel *that, png_const_structp pp,
8325     const transform_display *display)
8326 {
8327    /* Check for tRNS first: */
8328    if (that->have_tRNS && that->colour_type != PNG_COLOR_TYPE_PALETTE)
8329       image_pixel_add_alpha(that, &display->this, 1/*for background*/);
8330 
8331    /* This is only necessary if the alpha value is less than 1. */
8332    if (that->alphaf < 1)
8333    {
8334       /* Now we do the background calculation without any gamma correction. */
8335       if (that->alphaf <= 0)
8336       {
8337          that->redf = data.redf;
8338          that->greenf = data.greenf;
8339          that->bluef = data.bluef;
8340 
8341          that->rede = data.rede;
8342          that->greene = data.greene;
8343          that->bluee = data.bluee;
8344 
8345          that->red_sBIT= data.red_sBIT;
8346          that->green_sBIT= data.green_sBIT;
8347          that->blue_sBIT= data.blue_sBIT;
8348       }
8349 
8350       else /* 0 < alpha < 1 */
8351       {
8352          double alf = 1 - that->alphaf;
8353 
8354          that->redf = that->redf * that->alphaf + data.redf * alf;
8355          that->rede = that->rede * that->alphaf + data.rede * alf +
8356             DBL_EPSILON;
8357          that->greenf = that->greenf * that->alphaf + data.greenf * alf;
8358          that->greene = that->greene * that->alphaf + data.greene * alf +
8359             DBL_EPSILON;
8360          that->bluef = that->bluef * that->alphaf + data.bluef * alf;
8361          that->bluee = that->bluee * that->alphaf + data.bluee * alf +
8362             DBL_EPSILON;
8363       }
8364 
8365       /* Remove the alpha type and set the alpha (not in that order.) */
8366       that->alphaf = 1;
8367       that->alphae = 0;
8368    }
8369 
8370    if (that->colour_type == PNG_COLOR_TYPE_RGB_ALPHA)
8371       that->colour_type = PNG_COLOR_TYPE_RGB;
8372    else if (that->colour_type == PNG_COLOR_TYPE_GRAY_ALPHA)
8373       that->colour_type = PNG_COLOR_TYPE_GRAY;
8374    /* PNG_COLOR_TYPE_PALETTE is not changed */
8375 
8376    this->next->mod(this->next, that, pp, display);
8377 }
8378 
8379 #define image_transform_png_set_background_add image_transform_default_add
8380 
8381 #undef data
8382 IT(background);
8383 #undef PT
8384 #define PT ITSTRUCT(background)
8385 #endif /* PNG_READ_BACKGROUND_SUPPORTED */
8386 
8387 /* png_set_quantize(png_structp, png_colorp palette, int num_palette,
8388  *    int maximum_colors, png_const_uint_16p histogram, int full_quantize)
8389  *
8390  * Very difficult to validate this!
8391  */
8392 /*NOTE: TBD NYI */
8393 
8394 /* The data layout transforms are handled by swapping our own channel data,
8395  * necessarily these need to happen at the end of the transform list because the
8396  * semantic of the channels changes after these are executed.  Some of these,
8397  * like set_shift and set_packing, can't be done at present because they change
8398  * the layout of the data at the sub-sample level so sample() won't get the
8399  * right answer.
8400  */
8401 /* png_set_invert_alpha */
8402 #ifdef PNG_READ_INVERT_ALPHA_SUPPORTED
8403 /* Invert the alpha channel
8404  *
8405  *  png_set_invert_alpha(png_structrp png_ptr)
8406  */
8407 static void
image_transform_png_set_invert_alpha_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8408 image_transform_png_set_invert_alpha_set(const image_transform *this,
8409     transform_display *that, png_structp pp, png_infop pi)
8410 {
8411    png_set_invert_alpha(pp);
8412    this->next->set(this->next, that, pp, pi);
8413 }
8414 
8415 static void
image_transform_png_set_invert_alpha_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8416 image_transform_png_set_invert_alpha_mod(const image_transform *this,
8417     image_pixel *that, png_const_structp pp,
8418     const transform_display *display)
8419 {
8420    if (that->colour_type & 4)
8421       that->alpha_inverted = 1;
8422 
8423    this->next->mod(this->next, that, pp, display);
8424 }
8425 
8426 static int
image_transform_png_set_invert_alpha_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8427 image_transform_png_set_invert_alpha_add(image_transform *this,
8428     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8429 {
8430    UNUSED(bit_depth)
8431 
8432    this->next = *that;
8433    *that = this;
8434 
8435    /* Only has an effect on pixels with alpha: */
8436    return (colour_type & 4) != 0;
8437 }
8438 
8439 IT(invert_alpha);
8440 #undef PT
8441 #define PT ITSTRUCT(invert_alpha)
8442 
8443 #endif /* PNG_READ_INVERT_ALPHA_SUPPORTED */
8444 
8445 /* png_set_bgr */
8446 #ifdef PNG_READ_BGR_SUPPORTED
8447 /* Swap R,G,B channels to order B,G,R.
8448  *
8449  *  png_set_bgr(png_structrp png_ptr)
8450  *
8451  * This only has an effect on RGB and RGBA pixels.
8452  */
8453 static void
image_transform_png_set_bgr_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8454 image_transform_png_set_bgr_set(const image_transform *this,
8455     transform_display *that, png_structp pp, png_infop pi)
8456 {
8457    png_set_bgr(pp);
8458    this->next->set(this->next, that, pp, pi);
8459 }
8460 
8461 static void
image_transform_png_set_bgr_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8462 image_transform_png_set_bgr_mod(const image_transform *this,
8463     image_pixel *that, png_const_structp pp,
8464     const transform_display *display)
8465 {
8466    if (that->colour_type == PNG_COLOR_TYPE_RGB ||
8467        that->colour_type == PNG_COLOR_TYPE_RGBA)
8468        that->swap_rgb = 1;
8469 
8470    this->next->mod(this->next, that, pp, display);
8471 }
8472 
8473 static int
image_transform_png_set_bgr_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8474 image_transform_png_set_bgr_add(image_transform *this,
8475     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8476 {
8477    UNUSED(bit_depth)
8478 
8479    this->next = *that;
8480    *that = this;
8481 
8482    return colour_type == PNG_COLOR_TYPE_RGB ||
8483        colour_type == PNG_COLOR_TYPE_RGBA;
8484 }
8485 
8486 IT(bgr);
8487 #undef PT
8488 #define PT ITSTRUCT(bgr)
8489 
8490 #endif /* PNG_READ_BGR_SUPPORTED */
8491 
8492 /* png_set_swap_alpha */
8493 #ifdef PNG_READ_SWAP_ALPHA_SUPPORTED
8494 /* Put the alpha channel first.
8495  *
8496  *  png_set_swap_alpha(png_structrp png_ptr)
8497  *
8498  * This only has an effect on GA and RGBA pixels.
8499  */
8500 static void
image_transform_png_set_swap_alpha_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8501 image_transform_png_set_swap_alpha_set(const image_transform *this,
8502     transform_display *that, png_structp pp, png_infop pi)
8503 {
8504    png_set_swap_alpha(pp);
8505    this->next->set(this->next, that, pp, pi);
8506 }
8507 
8508 static void
image_transform_png_set_swap_alpha_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8509 image_transform_png_set_swap_alpha_mod(const image_transform *this,
8510     image_pixel *that, png_const_structp pp,
8511     const transform_display *display)
8512 {
8513    if (that->colour_type == PNG_COLOR_TYPE_GA ||
8514        that->colour_type == PNG_COLOR_TYPE_RGBA)
8515       that->alpha_first = 1;
8516 
8517    this->next->mod(this->next, that, pp, display);
8518 }
8519 
8520 static int
image_transform_png_set_swap_alpha_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8521 image_transform_png_set_swap_alpha_add(image_transform *this,
8522     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8523 {
8524    UNUSED(bit_depth)
8525 
8526    this->next = *that;
8527    *that = this;
8528 
8529    return colour_type == PNG_COLOR_TYPE_GA ||
8530        colour_type == PNG_COLOR_TYPE_RGBA;
8531 }
8532 
8533 IT(swap_alpha);
8534 #undef PT
8535 #define PT ITSTRUCT(swap_alpha)
8536 
8537 #endif /* PNG_READ_SWAP_ALPHA_SUPPORTED */
8538 
8539 /* png_set_swap */
8540 #ifdef PNG_READ_SWAP_SUPPORTED
8541 /* Byte swap 16-bit components.
8542  *
8543  *  png_set_swap(png_structrp png_ptr)
8544  */
8545 static void
image_transform_png_set_swap_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8546 image_transform_png_set_swap_set(const image_transform *this,
8547     transform_display *that, png_structp pp, png_infop pi)
8548 {
8549    png_set_swap(pp);
8550    this->next->set(this->next, that, pp, pi);
8551 }
8552 
8553 static void
image_transform_png_set_swap_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8554 image_transform_png_set_swap_mod(const image_transform *this,
8555     image_pixel *that, png_const_structp pp,
8556     const transform_display *display)
8557 {
8558    if (that->bit_depth == 16)
8559       that->swap16 = 1;
8560 
8561    this->next->mod(this->next, that, pp, display);
8562 }
8563 
8564 static int
image_transform_png_set_swap_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8565 image_transform_png_set_swap_add(image_transform *this,
8566     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8567 {
8568    UNUSED(colour_type)
8569 
8570    this->next = *that;
8571    *that = this;
8572 
8573    return bit_depth == 16;
8574 }
8575 
8576 IT(swap);
8577 #undef PT
8578 #define PT ITSTRUCT(swap)
8579 
8580 #endif /* PNG_READ_SWAP_SUPPORTED */
8581 
8582 #ifdef PNG_READ_FILLER_SUPPORTED
8583 /* Add a filler byte to 8-bit Gray or 24-bit RGB images.
8584  *
8585  *  png_set_filler, (png_structp png_ptr, png_uint_32 filler, int flags));
8586  *
8587  * Flags:
8588  *
8589  *  PNG_FILLER_BEFORE
8590  *  PNG_FILLER_AFTER
8591  */
8592 #define data ITDATA(filler)
8593 static struct
8594 {
8595    png_uint_32 filler;
8596    int         flags;
8597 } data;
8598 
8599 static void
image_transform_png_set_filler_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8600 image_transform_png_set_filler_set(const image_transform *this,
8601     transform_display *that, png_structp pp, png_infop pi)
8602 {
8603    /* Need a random choice for 'before' and 'after' as well as for the
8604     * filler.  The 'filler' value has all 32 bits set, but only bit_depth
8605     * will be used.  At this point we don't know bit_depth.
8606     */
8607    data.filler = random_u32();
8608    data.flags = random_choice();
8609 
8610    png_set_filler(pp, data.filler, data.flags);
8611 
8612    /* The standard display handling stuff also needs to know that
8613     * there is a filler, so set that here.
8614     */
8615    that->this.filler = 1;
8616 
8617    this->next->set(this->next, that, pp, pi);
8618 }
8619 
8620 static void
image_transform_png_set_filler_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8621 image_transform_png_set_filler_mod(const image_transform *this,
8622     image_pixel *that, png_const_structp pp,
8623     const transform_display *display)
8624 {
8625    if (that->bit_depth >= 8 &&
8626        (that->colour_type == PNG_COLOR_TYPE_RGB ||
8627         that->colour_type == PNG_COLOR_TYPE_GRAY))
8628    {
8629       const unsigned int max = (1U << that->bit_depth)-1;
8630       that->alpha = data.filler & max;
8631       that->alphaf = ((double)that->alpha) / max;
8632       that->alphae = 0;
8633 
8634       /* The filler has been stored in the alpha channel, we must record
8635        * that this has been done for the checking later on, the color
8636        * type is faked to have an alpha channel, but libpng won't report
8637        * this; the app has to know the extra channel is there and this
8638        * was recording in standard_display::filler above.
8639        */
8640       that->colour_type |= 4; /* alpha added */
8641       that->alpha_first = data.flags == PNG_FILLER_BEFORE;
8642    }
8643 
8644    this->next->mod(this->next, that, pp, display);
8645 }
8646 
8647 static int
image_transform_png_set_filler_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8648 image_transform_png_set_filler_add(image_transform *this,
8649     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8650 {
8651    this->next = *that;
8652    *that = this;
8653 
8654    return bit_depth >= 8 && (colour_type == PNG_COLOR_TYPE_RGB ||
8655            colour_type == PNG_COLOR_TYPE_GRAY);
8656 }
8657 
8658 #undef data
8659 IT(filler);
8660 #undef PT
8661 #define PT ITSTRUCT(filler)
8662 
8663 /* png_set_add_alpha, (png_structp png_ptr, png_uint_32 filler, int flags)); */
8664 /* Add an alpha byte to 8-bit Gray or 24-bit RGB images. */
8665 #define data ITDATA(add_alpha)
8666 static struct
8667 {
8668    png_uint_32 filler;
8669    int         flags;
8670 } data;
8671 
8672 static void
image_transform_png_set_add_alpha_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8673 image_transform_png_set_add_alpha_set(const image_transform *this,
8674     transform_display *that, png_structp pp, png_infop pi)
8675 {
8676    /* Need a random choice for 'before' and 'after' as well as for the
8677     * filler.  The 'filler' value has all 32 bits set, but only bit_depth
8678     * will be used.  At this point we don't know bit_depth.
8679     */
8680    data.filler = random_u32();
8681    data.flags = random_choice();
8682 
8683    png_set_add_alpha(pp, data.filler, data.flags);
8684    this->next->set(this->next, that, pp, pi);
8685 }
8686 
8687 static void
image_transform_png_set_add_alpha_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8688 image_transform_png_set_add_alpha_mod(const image_transform *this,
8689     image_pixel *that, png_const_structp pp,
8690     const transform_display *display)
8691 {
8692    if (that->bit_depth >= 8 &&
8693        (that->colour_type == PNG_COLOR_TYPE_RGB ||
8694         that->colour_type == PNG_COLOR_TYPE_GRAY))
8695    {
8696       const unsigned int max = (1U << that->bit_depth)-1;
8697       that->alpha = data.filler & max;
8698       that->alphaf = ((double)that->alpha) / max;
8699       that->alphae = 0;
8700 
8701       that->colour_type |= 4; /* alpha added */
8702       that->alpha_first = data.flags == PNG_FILLER_BEFORE;
8703    }
8704 
8705    this->next->mod(this->next, that, pp, display);
8706 }
8707 
8708 static int
image_transform_png_set_add_alpha_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8709 image_transform_png_set_add_alpha_add(image_transform *this,
8710     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8711 {
8712    this->next = *that;
8713    *that = this;
8714 
8715    return bit_depth >= 8 && (colour_type == PNG_COLOR_TYPE_RGB ||
8716            colour_type == PNG_COLOR_TYPE_GRAY);
8717 }
8718 
8719 #undef data
8720 IT(add_alpha);
8721 #undef PT
8722 #define PT ITSTRUCT(add_alpha)
8723 
8724 #endif /* PNG_READ_FILLER_SUPPORTED */
8725 
8726 /* png_set_packing */
8727 #ifdef PNG_READ_PACK_SUPPORTED
8728 /* Use 1 byte per pixel in 1, 2, or 4-bit depth files.
8729  *
8730  *  png_set_packing(png_structrp png_ptr)
8731  *
8732  * This should only affect grayscale and palette images with less than 8 bits
8733  * per pixel.
8734  */
8735 static void
image_transform_png_set_packing_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8736 image_transform_png_set_packing_set(const image_transform *this,
8737     transform_display *that, png_structp pp, png_infop pi)
8738 {
8739    png_set_packing(pp);
8740    that->unpacked = 1;
8741    this->next->set(this->next, that, pp, pi);
8742 }
8743 
8744 static void
image_transform_png_set_packing_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8745 image_transform_png_set_packing_mod(const image_transform *this,
8746     image_pixel *that, png_const_structp pp,
8747     const transform_display *display)
8748 {
8749    /* The general expand case depends on what the colour type is,
8750     * low bit-depth pixel values are unpacked into bytes without
8751     * scaling, so sample_depth is not changed.
8752     */
8753    if (that->bit_depth < 8) /* grayscale or palette */
8754       that->bit_depth = 8;
8755 
8756    this->next->mod(this->next, that, pp, display);
8757 }
8758 
8759 static int
image_transform_png_set_packing_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8760 image_transform_png_set_packing_add(image_transform *this,
8761     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8762 {
8763    UNUSED(colour_type)
8764 
8765    this->next = *that;
8766    *that = this;
8767 
8768    /* Nothing should happen unless the bit depth is less than 8: */
8769    return bit_depth < 8;
8770 }
8771 
8772 IT(packing);
8773 #undef PT
8774 #define PT ITSTRUCT(packing)
8775 
8776 #endif /* PNG_READ_PACK_SUPPORTED */
8777 
8778 /* png_set_packswap */
8779 #ifdef PNG_READ_PACKSWAP_SUPPORTED
8780 /* Swap pixels packed into bytes; reverses the order on screen so that
8781  * the high order bits correspond to the rightmost pixels.
8782  *
8783  *  png_set_packswap(png_structrp png_ptr)
8784  */
8785 static void
image_transform_png_set_packswap_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8786 image_transform_png_set_packswap_set(const image_transform *this,
8787     transform_display *that, png_structp pp, png_infop pi)
8788 {
8789    png_set_packswap(pp);
8790    that->this.littleendian = 1;
8791    this->next->set(this->next, that, pp, pi);
8792 }
8793 
8794 static void
image_transform_png_set_packswap_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8795 image_transform_png_set_packswap_mod(const image_transform *this,
8796     image_pixel *that, png_const_structp pp,
8797     const transform_display *display)
8798 {
8799    if (that->bit_depth < 8)
8800       that->littleendian = 1;
8801 
8802    this->next->mod(this->next, that, pp, display);
8803 }
8804 
8805 static int
image_transform_png_set_packswap_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8806 image_transform_png_set_packswap_add(image_transform *this,
8807     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8808 {
8809    UNUSED(colour_type)
8810 
8811    this->next = *that;
8812    *that = this;
8813 
8814    return bit_depth < 8;
8815 }
8816 
8817 IT(packswap);
8818 #undef PT
8819 #define PT ITSTRUCT(packswap)
8820 
8821 #endif /* PNG_READ_PACKSWAP_SUPPORTED */
8822 
8823 
8824 /* png_set_invert_mono */
8825 #ifdef PNG_READ_INVERT_MONO_SUPPORTED
8826 /* Invert the gray channel
8827  *
8828  *  png_set_invert_mono(png_structrp png_ptr)
8829  */
8830 static void
image_transform_png_set_invert_mono_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8831 image_transform_png_set_invert_mono_set(const image_transform *this,
8832     transform_display *that, png_structp pp, png_infop pi)
8833 {
8834    png_set_invert_mono(pp);
8835    this->next->set(this->next, that, pp, pi);
8836 }
8837 
8838 static void
image_transform_png_set_invert_mono_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8839 image_transform_png_set_invert_mono_mod(const image_transform *this,
8840     image_pixel *that, png_const_structp pp,
8841     const transform_display *display)
8842 {
8843    if (that->colour_type & 4)
8844       that->mono_inverted = 1;
8845 
8846    this->next->mod(this->next, that, pp, display);
8847 }
8848 
8849 static int
image_transform_png_set_invert_mono_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8850 image_transform_png_set_invert_mono_add(image_transform *this,
8851     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8852 {
8853    UNUSED(bit_depth)
8854 
8855    this->next = *that;
8856    *that = this;
8857 
8858    /* Only has an effect on pixels with no colour: */
8859    return (colour_type & 2) == 0;
8860 }
8861 
8862 IT(invert_mono);
8863 #undef PT
8864 #define PT ITSTRUCT(invert_mono)
8865 
8866 #endif /* PNG_READ_INVERT_MONO_SUPPORTED */
8867 
8868 #ifdef PNG_READ_SHIFT_SUPPORTED
8869 /* png_set_shift(png_structp, png_const_color_8p true_bits)
8870  *
8871  * The output pixels will be shifted by the given true_bits
8872  * values.
8873  */
8874 #define data ITDATA(shift)
8875 static png_color_8 data;
8876 
8877 static void
image_transform_png_set_shift_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8878 image_transform_png_set_shift_set(const image_transform *this,
8879     transform_display *that, png_structp pp, png_infop pi)
8880 {
8881    /* Get a random set of shifts.  The shifts need to do something
8882     * to test the transform, so they are limited to the bit depth
8883     * of the input image.  Notice that in the following the 'gray'
8884     * field is randomized independently.  This acts as a check that
8885     * libpng does use the correct field.
8886     */
8887    const unsigned int depth = that->this.bit_depth;
8888 
8889    data.red = (png_byte)/*SAFE*/(random_mod(depth)+1);
8890    data.green = (png_byte)/*SAFE*/(random_mod(depth)+1);
8891    data.blue = (png_byte)/*SAFE*/(random_mod(depth)+1);
8892    data.gray = (png_byte)/*SAFE*/(random_mod(depth)+1);
8893    data.alpha = (png_byte)/*SAFE*/(random_mod(depth)+1);
8894 
8895    png_set_shift(pp, &data);
8896    this->next->set(this->next, that, pp, pi);
8897 }
8898 
8899 static void
image_transform_png_set_shift_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8900 image_transform_png_set_shift_mod(const image_transform *this,
8901     image_pixel *that, png_const_structp pp,
8902     const transform_display *display)
8903 {
8904    /* Copy the correct values into the sBIT fields, libpng does not do
8905     * anything to palette data:
8906     */
8907    if (that->colour_type != PNG_COLOR_TYPE_PALETTE)
8908    {
8909        that->sig_bits = 1;
8910 
8911        /* The sBIT fields are reset to the values previously sent to
8912         * png_set_shift according to the colour type.
8913         * does.
8914         */
8915        if (that->colour_type & 2) /* RGB channels */
8916        {
8917           that->red_sBIT = data.red;
8918           that->green_sBIT = data.green;
8919           that->blue_sBIT = data.blue;
8920        }
8921 
8922        else /* One grey channel */
8923           that->red_sBIT = that->green_sBIT = that->blue_sBIT = data.gray;
8924 
8925        that->alpha_sBIT = data.alpha;
8926    }
8927 
8928    this->next->mod(this->next, that, pp, display);
8929 }
8930 
8931 static int
image_transform_png_set_shift_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8932 image_transform_png_set_shift_add(image_transform *this,
8933     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8934 {
8935    UNUSED(bit_depth)
8936 
8937    this->next = *that;
8938    *that = this;
8939 
8940    return colour_type != PNG_COLOR_TYPE_PALETTE;
8941 }
8942 
8943 IT(shift);
8944 #undef PT
8945 #define PT ITSTRUCT(shift)
8946 
8947 #endif /* PNG_READ_SHIFT_SUPPORTED */
8948 
8949 #ifdef THIS_IS_THE_PROFORMA
8950 static void
_set(const image_transform * this,transform_display * that,png_structp pp,png_infop pi)8951 image_transform_png_set_@_set(const image_transform *this,
8952     transform_display *that, png_structp pp, png_infop pi)
8953 {
8954    png_set_@(pp);
8955    this->next->set(this->next, that, pp, pi);
8956 }
8957 
8958 static void
_mod(const image_transform * this,image_pixel * that,png_const_structp pp,const transform_display * display)8959 image_transform_png_set_@_mod(const image_transform *this,
8960     image_pixel *that, png_const_structp pp,
8961     const transform_display *display)
8962 {
8963    this->next->mod(this->next, that, pp, display);
8964 }
8965 
8966 static int
_add(image_transform * this,const image_transform ** that,png_byte colour_type,png_byte bit_depth)8967 image_transform_png_set_@_add(image_transform *this,
8968     const image_transform **that, png_byte colour_type, png_byte bit_depth)
8969 {
8970    this->next = *that;
8971    *that = this;
8972 
8973    return 1;
8974 }
8975 
8976 IT(@);
8977 #endif
8978 
8979 
8980 /* This may just be 'end' if all the transforms are disabled! */
8981 static image_transform *const image_transform_first = &PT;
8982 
8983 static void
transform_enable(const char * name)8984 transform_enable(const char *name)
8985 {
8986    /* Everything starts out enabled, so if we see an 'enable' disabled
8987     * everything else the first time round.
8988     */
8989    static int all_disabled = 0;
8990    int found_it = 0;
8991    image_transform *list = image_transform_first;
8992 
8993    while (list != &image_transform_end)
8994    {
8995       if (strcmp(list->name, name) == 0)
8996       {
8997          list->enable = 1;
8998          found_it = 1;
8999       }
9000       else if (!all_disabled)
9001          list->enable = 0;
9002 
9003       list = list->list;
9004    }
9005 
9006    all_disabled = 1;
9007 
9008    if (!found_it)
9009    {
9010       fprintf(stderr, "pngvalid: --transform-enable=%s: unknown transform\n",
9011          name);
9012       exit(99);
9013    }
9014 }
9015 
9016 static void
transform_disable(const char * name)9017 transform_disable(const char *name)
9018 {
9019    image_transform *list = image_transform_first;
9020 
9021    while (list != &image_transform_end)
9022    {
9023       if (strcmp(list->name, name) == 0)
9024       {
9025          list->enable = 0;
9026          return;
9027       }
9028 
9029       list = list->list;
9030    }
9031 
9032    fprintf(stderr, "pngvalid: --transform-disable=%s: unknown transform\n",
9033       name);
9034    exit(99);
9035 }
9036 
9037 static void
image_transform_reset_count(void)9038 image_transform_reset_count(void)
9039 {
9040    image_transform *next = image_transform_first;
9041    int count = 0;
9042 
9043    while (next != &image_transform_end)
9044    {
9045       next->local_use = 0;
9046       next->next = 0;
9047       next = next->list;
9048       ++count;
9049    }
9050 
9051    /* This can only happen if we every have more than 32 transforms (excluding
9052     * the end) in the list.
9053     */
9054    if (count > 32) abort();
9055 }
9056 
9057 static int
image_transform_test_counter(png_uint_32 counter,unsigned int max)9058 image_transform_test_counter(png_uint_32 counter, unsigned int max)
9059 {
9060    /* Test the list to see if there is any point contining, given a current
9061     * counter and a 'max' value.
9062     */
9063    image_transform *next = image_transform_first;
9064 
9065    while (next != &image_transform_end)
9066    {
9067       /* For max 0 or 1 continue until the counter overflows: */
9068       counter >>= 1;
9069 
9070       /* Continue if any entry hasn't reacked the max. */
9071       if (max > 1 && next->local_use < max)
9072          return 1;
9073       next = next->list;
9074    }
9075 
9076    return max <= 1 && counter == 0;
9077 }
9078 
9079 static png_uint_32
image_transform_add(const image_transform ** this,unsigned int max,png_uint_32 counter,char * name,size_t sizeof_name,size_t * pos,png_byte colour_type,png_byte bit_depth)9080 image_transform_add(const image_transform **this, unsigned int max,
9081    png_uint_32 counter, char *name, size_t sizeof_name, size_t *pos,
9082    png_byte colour_type, png_byte bit_depth)
9083 {
9084    for (;;) /* until we manage to add something */
9085    {
9086       png_uint_32 mask;
9087       image_transform *list;
9088 
9089       /* Find the next counter value, if the counter is zero this is the start
9090        * of the list.  This routine always returns the current counter (not the
9091        * next) so it returns 0 at the end and expects 0 at the beginning.
9092        */
9093       if (counter == 0) /* first time */
9094       {
9095          image_transform_reset_count();
9096          if (max <= 1)
9097             counter = 1;
9098          else
9099             counter = random_32();
9100       }
9101       else /* advance the counter */
9102       {
9103          switch (max)
9104          {
9105             case 0:  ++counter; break;
9106             case 1:  counter <<= 1; break;
9107             default: counter = random_32(); break;
9108          }
9109       }
9110 
9111       /* Now add all these items, if possible */
9112       *this = &image_transform_end;
9113       list = image_transform_first;
9114       mask = 1;
9115 
9116       /* Go through the whole list adding anything that the counter selects: */
9117       while (list != &image_transform_end)
9118       {
9119          if ((counter & mask) != 0 && list->enable &&
9120              (max == 0 || list->local_use < max))
9121          {
9122             /* Candidate to add: */
9123             if (list->add(list, this, colour_type, bit_depth) || max == 0)
9124             {
9125                /* Added, so add to the name too. */
9126                *pos = safecat(name, sizeof_name, *pos, " +");
9127                *pos = safecat(name, sizeof_name, *pos, list->name);
9128             }
9129 
9130             else
9131             {
9132                /* Not useful and max>0, so remove it from *this: */
9133                *this = list->next;
9134                list->next = 0;
9135 
9136                /* And, since we know it isn't useful, stop it being added again
9137                 * in this run:
9138                 */
9139                list->local_use = max;
9140             }
9141          }
9142 
9143          mask <<= 1;
9144          list = list->list;
9145       }
9146 
9147       /* Now if anything was added we have something to do. */
9148       if (*this != &image_transform_end)
9149          return counter;
9150 
9151       /* Nothing added, but was there anything in there to add? */
9152       if (!image_transform_test_counter(counter, max))
9153          return 0;
9154    }
9155 }
9156 
9157 static void
perform_transform_test(png_modifier * pm)9158 perform_transform_test(png_modifier *pm)
9159 {
9160    png_byte colour_type = 0;
9161    png_byte bit_depth = 0;
9162    unsigned int palette_number = 0;
9163 
9164    while (next_format(&colour_type, &bit_depth, &palette_number, pm->test_lbg,
9165             pm->test_tRNS))
9166    {
9167       png_uint_32 counter = 0;
9168       size_t base_pos;
9169       char name[64];
9170 
9171       base_pos = safecat(name, sizeof name, 0, "transform:");
9172 
9173       for (;;)
9174       {
9175          size_t pos = base_pos;
9176          const image_transform *list = 0;
9177 
9178          /* 'max' is currently hardwired to '1'; this should be settable on the
9179           * command line.
9180           */
9181          counter = image_transform_add(&list, 1/*max*/, counter,
9182             name, sizeof name, &pos, colour_type, bit_depth);
9183 
9184          if (counter == 0)
9185             break;
9186 
9187          /* The command line can change this to checking interlaced images. */
9188          do
9189          {
9190             pm->repeat = 0;
9191             transform_test(pm, FILEID(colour_type, bit_depth, palette_number,
9192                pm->interlace_type, 0, 0, 0), list, name);
9193 
9194             if (fail(pm))
9195                return;
9196          }
9197          while (pm->repeat);
9198       }
9199    }
9200 }
9201 #endif /* PNG_READ_TRANSFORMS_SUPPORTED */
9202 
9203 /********************************* GAMMA TESTS ********************************/
9204 #ifdef PNG_READ_GAMMA_SUPPORTED
9205 /* Reader callbacks and implementations, where they differ from the standard
9206  * ones.
9207  */
9208 typedef struct gamma_display
9209 {
9210    standard_display this;
9211 
9212    /* Parameters */
9213    png_modifier*    pm;
9214    double           file_gamma;
9215    double           screen_gamma;
9216    double           background_gamma;
9217    png_byte         sbit;
9218    int              threshold_test;
9219    int              use_input_precision;
9220    int              scale16;
9221    int              expand16;
9222    int              do_background;
9223    png_color_16     background_color;
9224 
9225    /* Local variables */
9226    double       maxerrout;
9227    double       maxerrpc;
9228    double       maxerrabs;
9229 } gamma_display;
9230 
9231 #define ALPHA_MODE_OFFSET 4
9232 
9233 static void
gamma_display_init(gamma_display * dp,png_modifier * pm,png_uint_32 id,double file_gamma,double screen_gamma,png_byte sbit,int threshold_test,int use_input_precision,int scale16,int expand16,int do_background,const png_color_16 * pointer_to_the_background_color,double background_gamma)9234 gamma_display_init(gamma_display *dp, png_modifier *pm, png_uint_32 id,
9235     double file_gamma, double screen_gamma, png_byte sbit, int threshold_test,
9236     int use_input_precision, int scale16, int expand16,
9237     int do_background, const png_color_16 *pointer_to_the_background_color,
9238     double background_gamma)
9239 {
9240    /* Standard fields */
9241    standard_display_init(&dp->this, &pm->this, id, do_read_interlace,
9242       pm->use_update_info);
9243 
9244    /* Parameter fields */
9245    dp->pm = pm;
9246    dp->file_gamma = file_gamma;
9247    dp->screen_gamma = screen_gamma;
9248    dp->background_gamma = background_gamma;
9249    dp->sbit = sbit;
9250    dp->threshold_test = threshold_test;
9251    dp->use_input_precision = use_input_precision;
9252    dp->scale16 = scale16;
9253    dp->expand16 = expand16;
9254    dp->do_background = do_background;
9255    if (do_background && pointer_to_the_background_color != 0)
9256       dp->background_color = *pointer_to_the_background_color;
9257    else
9258       memset(&dp->background_color, 0, sizeof dp->background_color);
9259 
9260    /* Local variable fields */
9261    dp->maxerrout = dp->maxerrpc = dp->maxerrabs = 0;
9262 }
9263 
9264 static void
gamma_info_imp(gamma_display * dp,png_structp pp,png_infop pi)9265 gamma_info_imp(gamma_display *dp, png_structp pp, png_infop pi)
9266 {
9267    /* Reuse the standard stuff as appropriate. */
9268    standard_info_part1(&dp->this, pp, pi);
9269 
9270    /* If requested strip 16 to 8 bits - this is handled automagically below
9271     * because the output bit depth is read from the library.  Note that there
9272     * are interactions with sBIT but, internally, libpng makes sbit at most
9273     * PNG_MAX_GAMMA_8 prior to 1.7 when doing the following.
9274     */
9275    if (dp->scale16)
9276 #     ifdef PNG_READ_SCALE_16_TO_8_SUPPORTED
9277          png_set_scale_16(pp);
9278 #     else
9279          /* The following works both in 1.5.4 and earlier versions: */
9280 #        ifdef PNG_READ_16_TO_8_SUPPORTED
9281             png_set_strip_16(pp);
9282 #        else
9283             png_error(pp, "scale16 (16 to 8 bit conversion) not supported");
9284 #        endif
9285 #     endif
9286 
9287    if (dp->expand16)
9288 #     ifdef PNG_READ_EXPAND_16_SUPPORTED
9289          png_set_expand_16(pp);
9290 #     else
9291          png_error(pp, "expand16 (8 to 16 bit conversion) not supported");
9292 #     endif
9293 
9294    if (dp->do_background >= ALPHA_MODE_OFFSET)
9295    {
9296 #     ifdef PNG_READ_ALPHA_MODE_SUPPORTED
9297       {
9298          /* This tests the alpha mode handling, if supported. */
9299          int mode = dp->do_background - ALPHA_MODE_OFFSET;
9300 
9301          /* The gamma value is the output gamma, and is in the standard,
9302           * non-inverted, represenation.  It provides a default for the PNG file
9303           * gamma, but since the file has a gAMA chunk this does not matter.
9304           */
9305          const double sg = dp->screen_gamma;
9306 #        ifndef PNG_FLOATING_POINT_SUPPORTED
9307             const png_fixed_point g = fix(sg);
9308 #        endif
9309 
9310 #        ifdef PNG_FLOATING_POINT_SUPPORTED
9311             png_set_alpha_mode(pp, mode, sg);
9312 #        else
9313             png_set_alpha_mode_fixed(pp, mode, g);
9314 #        endif
9315 
9316          /* However, for the standard Porter-Duff algorithm the output defaults
9317           * to be linear, so if the test requires non-linear output it must be
9318           * corrected here.
9319           */
9320          if (mode == PNG_ALPHA_STANDARD && sg != 1)
9321          {
9322 #           ifdef PNG_FLOATING_POINT_SUPPORTED
9323                png_set_gamma(pp, sg, dp->file_gamma);
9324 #           else
9325                png_fixed_point f = fix(dp->file_gamma);
9326                png_set_gamma_fixed(pp, g, f);
9327 #           endif
9328          }
9329       }
9330 #     else
9331          png_error(pp, "alpha mode handling not supported");
9332 #     endif
9333    }
9334 
9335    else
9336    {
9337       /* Set up gamma processing. */
9338 #     ifdef PNG_FLOATING_POINT_SUPPORTED
9339          png_set_gamma(pp, dp->screen_gamma, dp->file_gamma);
9340 #     else
9341       {
9342          png_fixed_point s = fix(dp->screen_gamma);
9343          png_fixed_point f = fix(dp->file_gamma);
9344          png_set_gamma_fixed(pp, s, f);
9345       }
9346 #     endif
9347 
9348       if (dp->do_background)
9349       {
9350 #     ifdef PNG_READ_BACKGROUND_SUPPORTED
9351          /* NOTE: this assumes the caller provided the correct background gamma!
9352           */
9353          const double bg = dp->background_gamma;
9354 #        ifndef PNG_FLOATING_POINT_SUPPORTED
9355             const png_fixed_point g = fix(bg);
9356 #        endif
9357 
9358 #        ifdef PNG_FLOATING_POINT_SUPPORTED
9359             png_set_background(pp, &dp->background_color, dp->do_background,
9360                0/*need_expand*/, bg);
9361 #        else
9362             png_set_background_fixed(pp, &dp->background_color,
9363                dp->do_background, 0/*need_expand*/, g);
9364 #        endif
9365 #     else
9366          png_error(pp, "png_set_background not supported");
9367 #     endif
9368       }
9369    }
9370 
9371    {
9372       int i = dp->this.use_update_info;
9373       /* Always do one call, even if use_update_info is 0. */
9374       do
9375          png_read_update_info(pp, pi);
9376       while (--i > 0);
9377    }
9378 
9379    /* Now we may get a different cbRow: */
9380    standard_info_part2(&dp->this, pp, pi, 1 /*images*/);
9381 }
9382 
9383 static void PNGCBAPI
gamma_info(png_structp pp,png_infop pi)9384 gamma_info(png_structp pp, png_infop pi)
9385 {
9386    gamma_info_imp(voidcast(gamma_display*, png_get_progressive_ptr(pp)), pp,
9387       pi);
9388 }
9389 
9390 /* Validate a single component value - the routine gets the input and output
9391  * sample values as unscaled PNG component values along with a cache of all the
9392  * information required to validate the values.
9393  */
9394 typedef struct validate_info
9395 {
9396    png_const_structp  pp;
9397    gamma_display *dp;
9398    png_byte sbit;
9399    int use_input_precision;
9400    int do_background;
9401    int scale16;
9402    unsigned int sbit_max;
9403    unsigned int isbit_shift;
9404    unsigned int outmax;
9405 
9406    double gamma_correction; /* Overall correction required. */
9407    double file_inverse;     /* Inverse of file gamma. */
9408    double screen_gamma;
9409    double screen_inverse;   /* Inverse of screen gamma. */
9410 
9411    double background_red;   /* Linear background value, red or gray. */
9412    double background_green;
9413    double background_blue;
9414 
9415    double maxabs;
9416    double maxpc;
9417    double maxcalc;
9418    double maxout;
9419    double maxout_total;     /* Total including quantization error */
9420    double outlog;
9421    int    outquant;
9422 }
9423 validate_info;
9424 
9425 static void
init_validate_info(validate_info * vi,gamma_display * dp,png_const_structp pp,int in_depth,int out_depth)9426 init_validate_info(validate_info *vi, gamma_display *dp, png_const_structp pp,
9427     int in_depth, int out_depth)
9428 {
9429    const unsigned int outmax = (1U<<out_depth)-1;
9430 
9431    vi->pp = pp;
9432    vi->dp = dp;
9433 
9434    if (dp->sbit > 0 && dp->sbit < in_depth)
9435    {
9436       vi->sbit = dp->sbit;
9437       vi->isbit_shift = in_depth - dp->sbit;
9438    }
9439 
9440    else
9441    {
9442       vi->sbit = (png_byte)in_depth;
9443       vi->isbit_shift = 0;
9444    }
9445 
9446    vi->sbit_max = (1U << vi->sbit)-1;
9447 
9448    /* This mimics the libpng threshold test, '0' is used to prevent gamma
9449     * correction in the validation test.
9450     */
9451    vi->screen_gamma = dp->screen_gamma;
9452    if (fabs(vi->screen_gamma-1) < PNG_GAMMA_THRESHOLD)
9453       vi->screen_gamma = vi->screen_inverse = 0;
9454    else
9455       vi->screen_inverse = 1/vi->screen_gamma;
9456 
9457    vi->use_input_precision = dp->use_input_precision;
9458    vi->outmax = outmax;
9459    vi->maxabs = abserr(dp->pm, in_depth, out_depth);
9460    vi->maxpc = pcerr(dp->pm, in_depth, out_depth);
9461    vi->maxcalc = calcerr(dp->pm, in_depth, out_depth);
9462    vi->maxout = outerr(dp->pm, in_depth, out_depth);
9463    vi->outquant = output_quantization_factor(dp->pm, in_depth, out_depth);
9464    vi->maxout_total = vi->maxout + vi->outquant * .5;
9465    vi->outlog = outlog(dp->pm, in_depth, out_depth);
9466 
9467    if ((dp->this.colour_type & PNG_COLOR_MASK_ALPHA) != 0 ||
9468       (dp->this.colour_type == 3 && dp->this.is_transparent) ||
9469       ((dp->this.colour_type == 0 || dp->this.colour_type == 2) &&
9470        dp->this.has_tRNS))
9471    {
9472       vi->do_background = dp->do_background;
9473 
9474       if (vi->do_background != 0)
9475       {
9476          const double bg_inverse = 1/dp->background_gamma;
9477          double r, g, b;
9478 
9479          /* Caller must at least put the gray value into the red channel */
9480          r = dp->background_color.red; r /= outmax;
9481          g = dp->background_color.green; g /= outmax;
9482          b = dp->background_color.blue; b /= outmax;
9483 
9484 #     if 0
9485          /* libpng doesn't do this optimization, if we do pngvalid will fail.
9486           */
9487          if (fabs(bg_inverse-1) >= PNG_GAMMA_THRESHOLD)
9488 #     endif
9489          {
9490             r = pow(r, bg_inverse);
9491             g = pow(g, bg_inverse);
9492             b = pow(b, bg_inverse);
9493          }
9494 
9495          vi->background_red = r;
9496          vi->background_green = g;
9497          vi->background_blue = b;
9498       }
9499    }
9500    else /* Do not expect any background processing */
9501       vi->do_background = 0;
9502 
9503    if (vi->do_background == 0)
9504       vi->background_red = vi->background_green = vi->background_blue = 0;
9505 
9506    vi->gamma_correction = 1/(dp->file_gamma*dp->screen_gamma);
9507    if (fabs(vi->gamma_correction-1) < PNG_GAMMA_THRESHOLD)
9508       vi->gamma_correction = 0;
9509 
9510    vi->file_inverse = 1/dp->file_gamma;
9511    if (fabs(vi->file_inverse-1) < PNG_GAMMA_THRESHOLD)
9512       vi->file_inverse = 0;
9513 
9514    vi->scale16 = dp->scale16;
9515 }
9516 
9517 /* This function handles composition of a single non-alpha component.  The
9518  * argument is the input sample value, in the range 0..1, and the alpha value.
9519  * The result is the composed, linear, input sample.  If alpha is less than zero
9520  * this is the alpha component and the function should not be called!
9521  */
9522 static double
gamma_component_compose(int do_background,double input_sample,double alpha,double background,int * compose)9523 gamma_component_compose(int do_background, double input_sample, double alpha,
9524    double background, int *compose)
9525 {
9526    switch (do_background)
9527    {
9528 #ifdef PNG_READ_BACKGROUND_SUPPORTED
9529       case PNG_BACKGROUND_GAMMA_SCREEN:
9530       case PNG_BACKGROUND_GAMMA_FILE:
9531       case PNG_BACKGROUND_GAMMA_UNIQUE:
9532          /* Standard PNG background processing. */
9533          if (alpha < 1)
9534          {
9535             if (alpha > 0)
9536             {
9537                input_sample = input_sample * alpha + background * (1-alpha);
9538                if (compose != NULL)
9539                   *compose = 1;
9540             }
9541 
9542             else
9543                input_sample = background;
9544          }
9545          break;
9546 #endif
9547 
9548 #ifdef PNG_READ_ALPHA_MODE_SUPPORTED
9549       case ALPHA_MODE_OFFSET + PNG_ALPHA_STANDARD:
9550       case ALPHA_MODE_OFFSET + PNG_ALPHA_BROKEN:
9551          /* The components are premultiplied in either case and the output is
9552           * gamma encoded (to get standard Porter-Duff we expect the output
9553           * gamma to be set to 1.0!)
9554           */
9555       case ALPHA_MODE_OFFSET + PNG_ALPHA_OPTIMIZED:
9556          /* The optimization is that the partial-alpha entries are linear
9557           * while the opaque pixels are gamma encoded, but this only affects the
9558           * output encoding.
9559           */
9560          if (alpha < 1)
9561          {
9562             if (alpha > 0)
9563             {
9564                input_sample *= alpha;
9565                if (compose != NULL)
9566                   *compose = 1;
9567             }
9568 
9569             else
9570                input_sample = 0;
9571          }
9572          break;
9573 #endif
9574 
9575       default:
9576          /* Standard cases where no compositing is done (so the component
9577           * value is already correct.)
9578           */
9579          UNUSED(alpha)
9580          UNUSED(background)
9581          UNUSED(compose)
9582          break;
9583    }
9584 
9585    return input_sample;
9586 }
9587 
9588 /* This API returns the encoded *input* component, in the range 0..1 */
9589 static double
gamma_component_validate(const char * name,const validate_info * vi,const unsigned int id,const unsigned int od,const double alpha,const double background)9590 gamma_component_validate(const char *name, const validate_info *vi,
9591     const unsigned int id, const unsigned int od,
9592     const double alpha /* <0 for the alpha channel itself */,
9593     const double background /* component background value */)
9594 {
9595    const unsigned int isbit = id >> vi->isbit_shift;
9596    const unsigned int sbit_max = vi->sbit_max;
9597    const unsigned int outmax = vi->outmax;
9598    const int do_background = vi->do_background;
9599 
9600    double i;
9601 
9602    /* First check on the 'perfect' result obtained from the digitized input
9603     * value, id, and compare this against the actual digitized result, 'od'.
9604     * 'i' is the input result in the range 0..1:
9605     */
9606    i = isbit; i /= sbit_max;
9607 
9608    /* Check for the fast route: if we don't do any background composition or if
9609     * this is the alpha channel ('alpha' < 0) or if the pixel is opaque then
9610     * just use the gamma_correction field to correct to the final output gamma.
9611     */
9612    if (alpha == 1 /* opaque pixel component */ || !do_background
9613 #ifdef PNG_READ_ALPHA_MODE_SUPPORTED
9614       || do_background == ALPHA_MODE_OFFSET + PNG_ALPHA_PNG
9615 #endif
9616       || (alpha < 0 /* alpha channel */
9617 #ifdef PNG_READ_ALPHA_MODE_SUPPORTED
9618       && do_background != ALPHA_MODE_OFFSET + PNG_ALPHA_BROKEN
9619 #endif
9620       ))
9621    {
9622       /* Then get the gamma corrected version of 'i' and compare to 'od', any
9623        * error less than .5 is insignificant - just quantization of the output
9624        * value to the nearest digital value (nevertheless the error is still
9625        * recorded - it's interesting ;-)
9626        */
9627       double encoded_sample = i;
9628       double encoded_error;
9629 
9630       /* alpha less than 0 indicates the alpha channel, which is always linear
9631        */
9632       if (alpha >= 0 && vi->gamma_correction > 0)
9633          encoded_sample = pow(encoded_sample, vi->gamma_correction);
9634       encoded_sample *= outmax;
9635 
9636       encoded_error = fabs(od-encoded_sample);
9637 
9638       if (encoded_error > vi->dp->maxerrout)
9639          vi->dp->maxerrout = encoded_error;
9640 
9641       if (encoded_error < vi->maxout_total && encoded_error < vi->outlog)
9642          return i;
9643    }
9644 
9645    /* The slow route - attempt to do linear calculations. */
9646    /* There may be an error, or background processing is required, so calculate
9647     * the actual sample values - unencoded light intensity values.  Note that in
9648     * practice these are not completely unencoded because they include a
9649     * 'viewing correction' to decrease or (normally) increase the perceptual
9650     * contrast of the image.  There's nothing we can do about this - we don't
9651     * know what it is - so assume the unencoded value is perceptually linear.
9652     */
9653    {
9654       double input_sample = i; /* In range 0..1 */
9655       double output, error, encoded_sample, encoded_error;
9656       double es_lo, es_hi;
9657       int compose = 0;           /* Set to one if composition done */
9658       int output_is_encoded;     /* Set if encoded to screen gamma */
9659       int log_max_error = 1;     /* Check maximum error values */
9660       png_const_charp pass = 0;  /* Reason test passes (or 0 for fail) */
9661 
9662       /* Convert to linear light (with the above caveat.)  The alpha channel is
9663        * already linear.
9664        */
9665       if (alpha >= 0)
9666       {
9667          int tcompose;
9668 
9669          if (vi->file_inverse > 0)
9670             input_sample = pow(input_sample, vi->file_inverse);
9671 
9672          /* Handle the compose processing: */
9673          tcompose = 0;
9674          input_sample = gamma_component_compose(do_background, input_sample,
9675             alpha, background, &tcompose);
9676 
9677          if (tcompose)
9678             compose = 1;
9679       }
9680 
9681       /* And similarly for the output value, but we need to check the background
9682        * handling to linearize it correctly.
9683        */
9684       output = od;
9685       output /= outmax;
9686 
9687       output_is_encoded = vi->screen_gamma > 0;
9688 
9689       if (alpha < 0) /* The alpha channel */
9690       {
9691 #ifdef PNG_READ_ALPHA_MODE_SUPPORTED
9692          if (do_background != ALPHA_MODE_OFFSET + PNG_ALPHA_BROKEN)
9693 #endif
9694          {
9695             /* In all other cases the output alpha channel is linear already,
9696              * don't log errors here, they are much larger in linear data.
9697              */
9698             output_is_encoded = 0;
9699             log_max_error = 0;
9700          }
9701       }
9702 
9703 #ifdef PNG_READ_ALPHA_MODE_SUPPORTED
9704       else /* A component */
9705       {
9706          if (do_background == ALPHA_MODE_OFFSET + PNG_ALPHA_OPTIMIZED &&
9707             alpha < 1) /* the optimized case - linear output */
9708          {
9709             if (alpha > 0) log_max_error = 0;
9710             output_is_encoded = 0;
9711          }
9712       }
9713 #endif
9714 
9715       if (output_is_encoded)
9716          output = pow(output, vi->screen_gamma);
9717 
9718       /* Calculate (or recalculate) the encoded_sample value and repeat the
9719        * check above (unnecessary if we took the fast route, but harmless.)
9720        */
9721       encoded_sample = input_sample;
9722       if (output_is_encoded)
9723          encoded_sample = pow(encoded_sample, vi->screen_inverse);
9724       encoded_sample *= outmax;
9725 
9726       encoded_error = fabs(od-encoded_sample);
9727 
9728       /* Don't log errors in the alpha channel, or the 'optimized' case,
9729        * neither are significant to the overall perception.
9730        */
9731       if (log_max_error && encoded_error > vi->dp->maxerrout)
9732          vi->dp->maxerrout = encoded_error;
9733 
9734       if (encoded_error < vi->maxout_total)
9735       {
9736          if (encoded_error < vi->outlog)
9737             return i;
9738 
9739          /* Test passed but error is bigger than the log limit, record why the
9740           * test passed:
9741           */
9742          pass = "less than maxout:\n";
9743       }
9744 
9745       /* i: the original input value in the range 0..1
9746        *
9747        * pngvalid calculations:
9748        *  input_sample: linear result; i linearized and composed, range 0..1
9749        *  encoded_sample: encoded result; input_sample scaled to ouput bit depth
9750        *
9751        * libpng calculations:
9752        *  output: linear result; od scaled to 0..1 and linearized
9753        *  od: encoded result from libpng
9754        */
9755 
9756       /* Now we have the numbers for real errors, both absolute values as as a
9757        * percentage of the correct value (output):
9758        */
9759       error = fabs(input_sample-output);
9760 
9761       if (log_max_error && error > vi->dp->maxerrabs)
9762          vi->dp->maxerrabs = error;
9763 
9764       /* The following is an attempt to ignore the tendency of quantization to
9765        * dominate the percentage errors for lower result values:
9766        */
9767       if (log_max_error && input_sample > .5)
9768       {
9769          double percentage_error = error/input_sample;
9770          if (percentage_error > vi->dp->maxerrpc)
9771             vi->dp->maxerrpc = percentage_error;
9772       }
9773 
9774       /* Now calculate the digitization limits for 'encoded_sample' using the
9775        * 'max' values.  Note that maxout is in the encoded space but maxpc and
9776        * maxabs are in linear light space.
9777        *
9778        * First find the maximum error in linear light space, range 0..1:
9779        */
9780       {
9781          double tmp = input_sample * vi->maxpc;
9782          if (tmp < vi->maxabs) tmp = vi->maxabs;
9783          /* If 'compose' is true the composition was done in linear space using
9784           * integer arithmetic.  This introduces an extra error of +/- 0.5 (at
9785           * least) in the integer space used.  'maxcalc' records this, taking
9786           * into account the possibility that even for 16 bit output 8 bit space
9787           * may have been used.
9788           */
9789          if (compose && tmp < vi->maxcalc) tmp = vi->maxcalc;
9790 
9791          /* The 'maxout' value refers to the encoded result, to compare with
9792           * this encode input_sample adjusted by the maximum error (tmp) above.
9793           */
9794          es_lo = encoded_sample - vi->maxout;
9795 
9796          if (es_lo > 0 && input_sample-tmp > 0)
9797          {
9798             double low_value = input_sample-tmp;
9799             if (output_is_encoded)
9800                low_value = pow(low_value, vi->screen_inverse);
9801             low_value *= outmax;
9802             if (low_value < es_lo) es_lo = low_value;
9803 
9804             /* Quantize this appropriately: */
9805             es_lo = ceil(es_lo / vi->outquant - .5) * vi->outquant;
9806          }
9807 
9808          else
9809             es_lo = 0;
9810 
9811          es_hi = encoded_sample + vi->maxout;
9812 
9813          if (es_hi < outmax && input_sample+tmp < 1)
9814          {
9815             double high_value = input_sample+tmp;
9816             if (output_is_encoded)
9817                high_value = pow(high_value, vi->screen_inverse);
9818             high_value *= outmax;
9819             if (high_value > es_hi) es_hi = high_value;
9820 
9821             es_hi = floor(es_hi / vi->outquant + .5) * vi->outquant;
9822          }
9823 
9824          else
9825             es_hi = outmax;
9826       }
9827 
9828       /* The primary test is that the final encoded value returned by the
9829        * library should be between the two limits (inclusive) that were
9830        * calculated above.
9831        */
9832       if (od >= es_lo && od <= es_hi)
9833       {
9834          /* The value passes, but we may need to log the information anyway. */
9835          if (encoded_error < vi->outlog)
9836             return i;
9837 
9838          if (pass == 0)
9839             pass = "within digitization limits:\n";
9840       }
9841 
9842       {
9843          /* There has been an error in processing, or we need to log this
9844           * value.
9845           */
9846          double is_lo, is_hi;
9847 
9848          /* pass is set at this point if either of the tests above would have
9849           * passed.  Don't do these additional tests here - just log the
9850           * original [es_lo..es_hi] values.
9851           */
9852          if (pass == 0 && vi->use_input_precision && vi->dp->sbit)
9853          {
9854             /* Ok, something is wrong - this actually happens in current libpng
9855              * 16-to-8 processing.  Assume that the input value (id, adjusted
9856              * for sbit) can be anywhere between value-.5 and value+.5 - quite a
9857              * large range if sbit is low.
9858              *
9859              * NOTE: at present because the libpng gamma table stuff has been
9860              * changed to use a rounding algorithm to correct errors in 8-bit
9861              * calculations the precise sbit calculation (a shift) has been
9862              * lost.  This can result in up to a +/-1 error in the presence of
9863              * an sbit less than the bit depth.
9864              */
9865 #           if PNG_LIBPNG_VER < 10700
9866 #              define SBIT_ERROR .5
9867 #           else
9868 #              define SBIT_ERROR 1.
9869 #           endif
9870             double tmp = (isbit - SBIT_ERROR)/sbit_max;
9871 
9872             if (tmp <= 0)
9873                tmp = 0;
9874 
9875             else if (alpha >= 0 && vi->file_inverse > 0 && tmp < 1)
9876                tmp = pow(tmp, vi->file_inverse);
9877 
9878             tmp = gamma_component_compose(do_background, tmp, alpha, background,
9879                NULL);
9880 
9881             if (output_is_encoded && tmp > 0 && tmp < 1)
9882                tmp = pow(tmp, vi->screen_inverse);
9883 
9884             is_lo = ceil(outmax * tmp - vi->maxout_total);
9885 
9886             if (is_lo < 0)
9887                is_lo = 0;
9888 
9889             tmp = (isbit + SBIT_ERROR)/sbit_max;
9890 
9891             if (tmp >= 1)
9892                tmp = 1;
9893 
9894             else if (alpha >= 0 && vi->file_inverse > 0 && tmp < 1)
9895                tmp = pow(tmp, vi->file_inverse);
9896 
9897             tmp = gamma_component_compose(do_background, tmp, alpha, background,
9898                NULL);
9899 
9900             if (output_is_encoded && tmp > 0 && tmp < 1)
9901                tmp = pow(tmp, vi->screen_inverse);
9902 
9903             is_hi = floor(outmax * tmp + vi->maxout_total);
9904 
9905             if (is_hi > outmax)
9906                is_hi = outmax;
9907 
9908             if (!(od < is_lo || od > is_hi))
9909             {
9910                if (encoded_error < vi->outlog)
9911                   return i;
9912 
9913                pass = "within input precision limits:\n";
9914             }
9915 
9916             /* One last chance.  If this is an alpha channel and the 16to8
9917              * option has been used and 'inaccurate' scaling is used then the
9918              * bit reduction is obtained by simply using the top 8 bits of the
9919              * value.
9920              *
9921              * This is only done for older libpng versions when the 'inaccurate'
9922              * (chop) method of scaling was used.
9923              */
9924 #           ifndef PNG_READ_16_TO_8_ACCURATE_SCALE_SUPPORTED
9925 #              if PNG_LIBPNG_VER < 10504
9926                   /* This may be required for other components in the future,
9927                    * but at present the presence of gamma correction effectively
9928                    * prevents the errors in the component scaling (I don't quite
9929                    * understand why, but since it's better this way I care not
9930                    * to ask, JB 20110419.)
9931                    */
9932                   if (pass == 0 && alpha < 0 && vi->scale16 && vi->sbit > 8 &&
9933                      vi->sbit + vi->isbit_shift == 16)
9934                   {
9935                      tmp = ((id >> 8) - .5)/255;
9936 
9937                      if (tmp > 0)
9938                      {
9939                         is_lo = ceil(outmax * tmp - vi->maxout_total);
9940                         if (is_lo < 0) is_lo = 0;
9941                      }
9942 
9943                      else
9944                         is_lo = 0;
9945 
9946                      tmp = ((id >> 8) + .5)/255;
9947 
9948                      if (tmp < 1)
9949                      {
9950                         is_hi = floor(outmax * tmp + vi->maxout_total);
9951                         if (is_hi > outmax) is_hi = outmax;
9952                      }
9953 
9954                      else
9955                         is_hi = outmax;
9956 
9957                      if (!(od < is_lo || od > is_hi))
9958                      {
9959                         if (encoded_error < vi->outlog)
9960                            return i;
9961 
9962                         pass = "within 8 bit limits:\n";
9963                      }
9964                   }
9965 #              endif
9966 #           endif
9967          }
9968          else /* !use_input_precision */
9969             is_lo = es_lo, is_hi = es_hi;
9970 
9971          /* Attempt to output a meaningful error/warning message: the message
9972           * output depends on the background/composite operation being performed
9973           * because this changes what parameters were actually used above.
9974           */
9975          {
9976             size_t pos = 0;
9977             /* Need either 1/255 or 1/65535 precision here; 3 or 6 decimal
9978              * places.  Just use outmax to work out which.
9979              */
9980             int precision = (outmax >= 1000 ? 6 : 3);
9981             int use_input=1, use_background=0, do_compose=0;
9982             char msg[256];
9983 
9984             if (pass != 0)
9985                pos = safecat(msg, sizeof msg, pos, "\n\t");
9986 
9987             /* Set up the various flags, the output_is_encoded flag above
9988              * is also used below.  do_compose is just a double check.
9989              */
9990             switch (do_background)
9991             {
9992 #           ifdef PNG_READ_BACKGROUND_SUPPORTED
9993                case PNG_BACKGROUND_GAMMA_SCREEN:
9994                case PNG_BACKGROUND_GAMMA_FILE:
9995                case PNG_BACKGROUND_GAMMA_UNIQUE:
9996                   use_background = (alpha >= 0 && alpha < 1);
9997                   /*FALL THROUGH*/
9998 #           endif
9999 #           ifdef PNG_READ_ALPHA_MODE_SUPPORTED
10000                case ALPHA_MODE_OFFSET + PNG_ALPHA_STANDARD:
10001                case ALPHA_MODE_OFFSET + PNG_ALPHA_BROKEN:
10002                case ALPHA_MODE_OFFSET + PNG_ALPHA_OPTIMIZED:
10003 #           endif /* ALPHA_MODE_SUPPORTED */
10004                do_compose = (alpha > 0 && alpha < 1);
10005                use_input = (alpha != 0);
10006                break;
10007 
10008             default:
10009                break;
10010             }
10011 
10012             /* Check the 'compose' flag */
10013             if (compose != do_compose)
10014                png_error(vi->pp, "internal error (compose)");
10015 
10016             /* 'name' is the component name */
10017             pos = safecat(msg, sizeof msg, pos, name);
10018             pos = safecat(msg, sizeof msg, pos, "(");
10019             pos = safecatn(msg, sizeof msg, pos, id);
10020             if (use_input || pass != 0/*logging*/)
10021             {
10022                if (isbit != id)
10023                {
10024                   /* sBIT has reduced the precision of the input: */
10025                   pos = safecat(msg, sizeof msg, pos, ", sbit(");
10026                   pos = safecatn(msg, sizeof msg, pos, vi->sbit);
10027                   pos = safecat(msg, sizeof msg, pos, "): ");
10028                   pos = safecatn(msg, sizeof msg, pos, isbit);
10029                }
10030                pos = safecat(msg, sizeof msg, pos, "/");
10031                /* The output is either "id/max" or "id sbit(sbit): isbit/max" */
10032                pos = safecatn(msg, sizeof msg, pos, vi->sbit_max);
10033             }
10034             pos = safecat(msg, sizeof msg, pos, ")");
10035 
10036             /* A component may have been multiplied (in linear space) by the
10037              * alpha value, 'compose' says whether this is relevant.
10038              */
10039             if (compose || pass != 0)
10040             {
10041                /* If any form of composition is being done report our
10042                 * calculated linear value here (the code above doesn't record
10043                 * the input value before composition is performed, so what
10044                 * gets reported is the value after composition.)
10045                 */
10046                if (use_input || pass != 0)
10047                {
10048                   if (vi->file_inverse > 0)
10049                   {
10050                      pos = safecat(msg, sizeof msg, pos, "^");
10051                      pos = safecatd(msg, sizeof msg, pos, vi->file_inverse, 2);
10052                   }
10053 
10054                   else
10055                      pos = safecat(msg, sizeof msg, pos, "[linear]");
10056 
10057                   pos = safecat(msg, sizeof msg, pos, "*(alpha)");
10058                   pos = safecatd(msg, sizeof msg, pos, alpha, precision);
10059                }
10060 
10061                /* Now record the *linear* background value if it was used
10062                 * (this function is not passed the original, non-linear,
10063                 * value but it is contained in the test name.)
10064                 */
10065                if (use_background)
10066                {
10067                   pos = safecat(msg, sizeof msg, pos, use_input ? "+" : " ");
10068                   pos = safecat(msg, sizeof msg, pos, "(background)");
10069                   pos = safecatd(msg, sizeof msg, pos, background, precision);
10070                   pos = safecat(msg, sizeof msg, pos, "*");
10071                   pos = safecatd(msg, sizeof msg, pos, 1-alpha, precision);
10072                }
10073             }
10074 
10075             /* Report the calculated value (input_sample) and the linearized
10076              * libpng value (output) unless this is just a component gamma
10077              * correction.
10078              */
10079             if (compose || alpha < 0 || pass != 0)
10080             {
10081                pos = safecat(msg, sizeof msg, pos,
10082                   pass != 0 ? " =\n\t" : " = ");
10083                pos = safecatd(msg, sizeof msg, pos, input_sample, precision);
10084                pos = safecat(msg, sizeof msg, pos, " (libpng: ");
10085                pos = safecatd(msg, sizeof msg, pos, output, precision);
10086                pos = safecat(msg, sizeof msg, pos, ")");
10087 
10088                /* Finally report the output gamma encoding, if any. */
10089                if (output_is_encoded)
10090                {
10091                   pos = safecat(msg, sizeof msg, pos, " ^");
10092                   pos = safecatd(msg, sizeof msg, pos, vi->screen_inverse, 2);
10093                   pos = safecat(msg, sizeof msg, pos, "(to screen) =");
10094                }
10095 
10096                else
10097                   pos = safecat(msg, sizeof msg, pos, " [screen is linear] =");
10098             }
10099 
10100             if ((!compose && alpha >= 0) || pass != 0)
10101             {
10102                if (pass != 0) /* logging */
10103                   pos = safecat(msg, sizeof msg, pos, "\n\t[overall:");
10104 
10105                /* This is the non-composition case, the internal linear
10106                 * values are irrelevant (though the log below will reveal
10107                 * them.)  Output a much shorter warning/error message and report
10108                 * the overall gamma correction.
10109                 */
10110                if (vi->gamma_correction > 0)
10111                {
10112                   pos = safecat(msg, sizeof msg, pos, " ^");
10113                   pos = safecatd(msg, sizeof msg, pos, vi->gamma_correction, 2);
10114                   pos = safecat(msg, sizeof msg, pos, "(gamma correction) =");
10115                }
10116 
10117                else
10118                   pos = safecat(msg, sizeof msg, pos,
10119                      " [no gamma correction] =");
10120 
10121                if (pass != 0)
10122                   pos = safecat(msg, sizeof msg, pos, "]");
10123             }
10124 
10125             /* This is our calculated encoded_sample which should (but does
10126              * not) match od:
10127              */
10128             pos = safecat(msg, sizeof msg, pos, pass != 0 ? "\n\t" : " ");
10129             pos = safecatd(msg, sizeof msg, pos, is_lo, 1);
10130             pos = safecat(msg, sizeof msg, pos, " < ");
10131             pos = safecatd(msg, sizeof msg, pos, encoded_sample, 1);
10132             pos = safecat(msg, sizeof msg, pos, " (libpng: ");
10133             pos = safecatn(msg, sizeof msg, pos, od);
10134             pos = safecat(msg, sizeof msg, pos, ")");
10135             pos = safecat(msg, sizeof msg, pos, "/");
10136             pos = safecatn(msg, sizeof msg, pos, outmax);
10137             pos = safecat(msg, sizeof msg, pos, " < ");
10138             pos = safecatd(msg, sizeof msg, pos, is_hi, 1);
10139 
10140             if (pass == 0) /* The error condition */
10141             {
10142 #              ifdef PNG_WARNINGS_SUPPORTED
10143                   png_warning(vi->pp, msg);
10144 #              else
10145                   store_warning(vi->pp, msg);
10146 #              endif
10147             }
10148 
10149             else /* logging this value */
10150                store_verbose(&vi->dp->pm->this, vi->pp, pass, msg);
10151          }
10152       }
10153    }
10154 
10155    return i;
10156 }
10157 
10158 static void
gamma_image_validate(gamma_display * dp,png_const_structp pp,png_infop pi)10159 gamma_image_validate(gamma_display *dp, png_const_structp pp,
10160    png_infop pi)
10161 {
10162    /* Get some constants derived from the input and output file formats: */
10163    const png_store* const ps = dp->this.ps;
10164    const png_byte in_ct = dp->this.colour_type;
10165    const png_byte in_bd = dp->this.bit_depth;
10166    const png_uint_32 w = dp->this.w;
10167    const png_uint_32 h = dp->this.h;
10168    const size_t cbRow = dp->this.cbRow;
10169    const png_byte out_ct = png_get_color_type(pp, pi);
10170    const png_byte out_bd = png_get_bit_depth(pp, pi);
10171 
10172    /* There are three sources of error, firstly the quantization in the
10173     * file encoding, determined by sbit and/or the file depth, secondly
10174     * the output (screen) gamma and thirdly the output file encoding.
10175     *
10176     * Since this API receives the screen and file gamma in double
10177     * precision it is possible to calculate an exact answer given an input
10178     * pixel value.  Therefore we assume that the *input* value is exact -
10179     * sample/maxsample - calculate the corresponding gamma corrected
10180     * output to the limits of double precision arithmetic and compare with
10181     * what libpng returns.
10182     *
10183     * Since the library must quantize the output to 8 or 16 bits there is
10184     * a fundamental limit on the accuracy of the output of +/-.5 - this
10185     * quantization limit is included in addition to the other limits
10186     * specified by the paramaters to the API.  (Effectively, add .5
10187     * everywhere.)
10188     *
10189     * The behavior of the 'sbit' paramter is defined by section 12.5
10190     * (sample depth scaling) of the PNG spec.  That section forces the
10191     * decoder to assume that the PNG values have been scaled if sBIT is
10192     * present:
10193     *
10194     *     png-sample = floor( input-sample * (max-out/max-in) + .5);
10195     *
10196     * This means that only a subset of the possible PNG values should
10197     * appear in the input. However, the spec allows the encoder to use a
10198     * variety of approximations to the above and doesn't require any
10199     * restriction of the values produced.
10200     *
10201     * Nevertheless the spec requires that the upper 'sBIT' bits of the
10202     * value stored in a PNG file be the original sample bits.
10203     * Consequently the code below simply scales the top sbit bits by
10204     * (1<<sbit)-1 to obtain an original sample value.
10205     *
10206     * Because there is limited precision in the input it is arguable that
10207     * an acceptable result is any valid result from input-.5 to input+.5.
10208     * The basic tests below do not do this, however if 'use_input_precision'
10209     * is set a subsequent test is performed above.
10210     */
10211    const unsigned int samples_per_pixel = (out_ct & 2U) ? 3U : 1U;
10212    int processing;
10213    png_uint_32 y;
10214    const store_palette_entry *in_palette = dp->this.palette;
10215    const int in_is_transparent = dp->this.is_transparent;
10216    int process_tRNS;
10217    int out_npalette = -1;
10218    int out_is_transparent = 0; /* Just refers to the palette case */
10219    store_palette out_palette;
10220    validate_info vi;
10221 
10222    /* Check for row overwrite errors */
10223    store_image_check(dp->this.ps, pp, 0);
10224 
10225    /* Supply the input and output sample depths here - 8 for an indexed image,
10226     * otherwise the bit depth.
10227     */
10228    init_validate_info(&vi, dp, pp, in_ct==3?8:in_bd, out_ct==3?8:out_bd);
10229 
10230    processing = (vi.gamma_correction > 0 && !dp->threshold_test)
10231       || in_bd != out_bd || in_ct != out_ct || vi.do_background;
10232    process_tRNS = dp->this.has_tRNS && vi.do_background;
10233 
10234    /* TODO: FIX THIS: MAJOR BUG!  If the transformations all happen inside
10235     * the palette there is no way of finding out, because libpng fails to
10236     * update the palette on png_read_update_info.  Indeed, libpng doesn't
10237     * even do the required work until much later, when it doesn't have any
10238     * info pointer.  Oops.  For the moment 'processing' is turned off if
10239     * out_ct is palette.
10240     */
10241    if (in_ct == 3 && out_ct == 3)
10242       processing = 0;
10243 
10244    if (processing && out_ct == 3)
10245       out_is_transparent = read_palette(out_palette, &out_npalette, pp, pi);
10246 
10247    for (y=0; y<h; ++y)
10248    {
10249       png_const_bytep pRow = store_image_row(ps, pp, 0, y);
10250       png_byte std[STANDARD_ROWMAX];
10251 
10252       transform_row(pp, std, in_ct, in_bd, y);
10253 
10254       if (processing)
10255       {
10256          unsigned int x;
10257 
10258          for (x=0; x<w; ++x)
10259          {
10260             double alpha = 1; /* serves as a flag value */
10261 
10262             /* Record the palette index for index images. */
10263             const unsigned int in_index =
10264                in_ct == 3 ? sample(std, 3, in_bd, x, 0, 0, 0) : 256;
10265             const unsigned int out_index =
10266                out_ct == 3 ? sample(std, 3, out_bd, x, 0, 0, 0) : 256;
10267 
10268             /* Handle input alpha - png_set_background will cause the output
10269              * alpha to disappear so there is nothing to check.
10270              */
10271             if ((in_ct & PNG_COLOR_MASK_ALPHA) != 0 ||
10272                 (in_ct == 3 && in_is_transparent))
10273             {
10274                const unsigned int input_alpha = in_ct == 3 ?
10275                   dp->this.palette[in_index].alpha :
10276                   sample(std, in_ct, in_bd, x, samples_per_pixel, 0, 0);
10277 
10278                unsigned int output_alpha = 65536 /* as a flag value */;
10279 
10280                if (out_ct == 3)
10281                {
10282                   if (out_is_transparent)
10283                      output_alpha = out_palette[out_index].alpha;
10284                }
10285 
10286                else if ((out_ct & PNG_COLOR_MASK_ALPHA) != 0)
10287                   output_alpha = sample(pRow, out_ct, out_bd, x,
10288                      samples_per_pixel, 0, 0);
10289 
10290                if (output_alpha != 65536)
10291                   alpha = gamma_component_validate("alpha", &vi, input_alpha,
10292                      output_alpha, -1/*alpha*/, 0/*background*/);
10293 
10294                else /* no alpha in output */
10295                {
10296                   /* This is a copy of the calculation of 'i' above in order to
10297                    * have the alpha value to use in the background calculation.
10298                    */
10299                   alpha = input_alpha >> vi.isbit_shift;
10300                   alpha /= vi.sbit_max;
10301                }
10302             }
10303 
10304             else if (process_tRNS)
10305             {
10306                /* alpha needs to be set appropriately for this pixel, it is
10307                 * currently 1 and needs to be 0 for an input pixel which matches
10308                 * the values in tRNS.
10309                 */
10310                switch (in_ct)
10311                {
10312                   case 0: /* gray */
10313                      if (sample(std, in_ct, in_bd, x, 0, 0, 0) ==
10314                            dp->this.transparent.red)
10315                         alpha = 0;
10316                      break;
10317 
10318                   case 2: /* RGB */
10319                      if (sample(std, in_ct, in_bd, x, 0, 0, 0) ==
10320                            dp->this.transparent.red &&
10321                          sample(std, in_ct, in_bd, x, 1, 0, 0) ==
10322                            dp->this.transparent.green &&
10323                          sample(std, in_ct, in_bd, x, 2, 0, 0) ==
10324                            dp->this.transparent.blue)
10325                         alpha = 0;
10326                      break;
10327 
10328                   default:
10329                      break;
10330                }
10331             }
10332 
10333             /* Handle grayscale or RGB components. */
10334             if ((in_ct & PNG_COLOR_MASK_COLOR) == 0) /* grayscale */
10335                (void)gamma_component_validate("gray", &vi,
10336                   sample(std, in_ct, in_bd, x, 0, 0, 0),
10337                   sample(pRow, out_ct, out_bd, x, 0, 0, 0),
10338                   alpha/*component*/, vi.background_red);
10339             else /* RGB or palette */
10340             {
10341                (void)gamma_component_validate("red", &vi,
10342                   in_ct == 3 ? in_palette[in_index].red :
10343                      sample(std, in_ct, in_bd, x, 0, 0, 0),
10344                   out_ct == 3 ? out_palette[out_index].red :
10345                      sample(pRow, out_ct, out_bd, x, 0, 0, 0),
10346                   alpha/*component*/, vi.background_red);
10347 
10348                (void)gamma_component_validate("green", &vi,
10349                   in_ct == 3 ? in_palette[in_index].green :
10350                      sample(std, in_ct, in_bd, x, 1, 0, 0),
10351                   out_ct == 3 ? out_palette[out_index].green :
10352                      sample(pRow, out_ct, out_bd, x, 1, 0, 0),
10353                   alpha/*component*/, vi.background_green);
10354 
10355                (void)gamma_component_validate("blue", &vi,
10356                   in_ct == 3 ? in_palette[in_index].blue :
10357                      sample(std, in_ct, in_bd, x, 2, 0, 0),
10358                   out_ct == 3 ? out_palette[out_index].blue :
10359                      sample(pRow, out_ct, out_bd, x, 2, 0, 0),
10360                   alpha/*component*/, vi.background_blue);
10361             }
10362          }
10363       }
10364 
10365       else if (memcmp(std, pRow, cbRow) != 0)
10366       {
10367          char msg[64];
10368 
10369          /* No transform is expected on the threshold tests. */
10370          sprintf(msg, "gamma: below threshold row %lu changed",
10371             (unsigned long)y);
10372 
10373          png_error(pp, msg);
10374       }
10375    } /* row (y) loop */
10376 
10377    dp->this.ps->validated = 1;
10378 }
10379 
10380 static void PNGCBAPI
gamma_end(png_structp ppIn,png_infop pi)10381 gamma_end(png_structp ppIn, png_infop pi)
10382 {
10383    png_const_structp pp = ppIn;
10384    gamma_display *dp = voidcast(gamma_display*, png_get_progressive_ptr(pp));
10385 
10386    if (!dp->this.speed)
10387       gamma_image_validate(dp, pp, pi);
10388    else
10389       dp->this.ps->validated = 1;
10390 }
10391 
10392 /* A single test run checking a gamma transformation.
10393  *
10394  * maxabs: maximum absolute error as a fraction
10395  * maxout: maximum output error in the output units
10396  * maxpc:  maximum percentage error (as a percentage)
10397  */
10398 static void
gamma_test(png_modifier * pmIn,const png_byte colour_typeIn,const png_byte bit_depthIn,const int palette_numberIn,const int interlace_typeIn,const double file_gammaIn,const double screen_gammaIn,const png_byte sbitIn,const int threshold_testIn,const char * name,const int use_input_precisionIn,const int scale16In,const int expand16In,const int do_backgroundIn,const png_color_16 * bkgd_colorIn,double bkgd_gammaIn)10399 gamma_test(png_modifier *pmIn, const png_byte colour_typeIn,
10400     const png_byte bit_depthIn, const int palette_numberIn,
10401     const int interlace_typeIn,
10402     const double file_gammaIn, const double screen_gammaIn,
10403     const png_byte sbitIn, const int threshold_testIn,
10404     const char *name,
10405     const int use_input_precisionIn, const int scale16In,
10406     const int expand16In, const int do_backgroundIn,
10407     const png_color_16 *bkgd_colorIn, double bkgd_gammaIn)
10408 {
10409    gamma_display d;
10410    context(&pmIn->this, fault);
10411 
10412    gamma_display_init(&d, pmIn, FILEID(colour_typeIn, bit_depthIn,
10413       palette_numberIn, interlace_typeIn, 0, 0, 0),
10414       file_gammaIn, screen_gammaIn, sbitIn,
10415       threshold_testIn, use_input_precisionIn, scale16In,
10416       expand16In, do_backgroundIn, bkgd_colorIn, bkgd_gammaIn);
10417 
10418    Try
10419    {
10420       png_structp pp;
10421       png_infop pi;
10422       gama_modification gama_mod;
10423       srgb_modification srgb_mod;
10424       sbit_modification sbit_mod;
10425 
10426       /* For the moment don't use the png_modifier support here. */
10427       d.pm->encoding_counter = 0;
10428       modifier_set_encoding(d.pm); /* Just resets everything */
10429       d.pm->current_gamma = d.file_gamma;
10430 
10431       /* Make an appropriate modifier to set the PNG file gamma to the
10432        * given gamma value and the sBIT chunk to the given precision.
10433        */
10434       d.pm->modifications = NULL;
10435       gama_modification_init(&gama_mod, d.pm, d.file_gamma);
10436       srgb_modification_init(&srgb_mod, d.pm, 127 /*delete*/);
10437       if (d.sbit > 0)
10438          sbit_modification_init(&sbit_mod, d.pm, d.sbit);
10439 
10440       modification_reset(d.pm->modifications);
10441 
10442       /* Get a png_struct for reading the image. */
10443       pp = set_modifier_for_read(d.pm, &pi, d.this.id, name);
10444       standard_palette_init(&d.this);
10445 
10446       /* Introduce the correct read function. */
10447       if (d.pm->this.progressive)
10448       {
10449          /* Share the row function with the standard implementation. */
10450          png_set_progressive_read_fn(pp, &d, gamma_info, progressive_row,
10451             gamma_end);
10452 
10453          /* Now feed data into the reader until we reach the end: */
10454          modifier_progressive_read(d.pm, pp, pi);
10455       }
10456       else
10457       {
10458          /* modifier_read expects a png_modifier* */
10459          png_set_read_fn(pp, d.pm, modifier_read);
10460 
10461          /* Check the header values: */
10462          png_read_info(pp, pi);
10463 
10464          /* Process the 'info' requirements. Only one image is generated */
10465          gamma_info_imp(&d, pp, pi);
10466 
10467          sequential_row(&d.this, pp, pi, -1, 0);
10468 
10469          if (!d.this.speed)
10470             gamma_image_validate(&d, pp, pi);
10471          else
10472             d.this.ps->validated = 1;
10473       }
10474 
10475       modifier_reset(d.pm);
10476 
10477       if (d.pm->log && !d.threshold_test && !d.this.speed)
10478          fprintf(stderr, "%d bit %s %s: max error %f (%.2g, %2g%%)\n",
10479             d.this.bit_depth, colour_types[d.this.colour_type], name,
10480             d.maxerrout, d.maxerrabs, 100*d.maxerrpc);
10481 
10482       /* Log the summary values too. */
10483       if (d.this.colour_type == 0 || d.this.colour_type == 4)
10484       {
10485          switch (d.this.bit_depth)
10486          {
10487          case 1:
10488             break;
10489 
10490          case 2:
10491             if (d.maxerrout > d.pm->error_gray_2)
10492                d.pm->error_gray_2 = d.maxerrout;
10493 
10494             break;
10495 
10496          case 4:
10497             if (d.maxerrout > d.pm->error_gray_4)
10498                d.pm->error_gray_4 = d.maxerrout;
10499 
10500             break;
10501 
10502          case 8:
10503             if (d.maxerrout > d.pm->error_gray_8)
10504                d.pm->error_gray_8 = d.maxerrout;
10505 
10506             break;
10507 
10508          case 16:
10509             if (d.maxerrout > d.pm->error_gray_16)
10510                d.pm->error_gray_16 = d.maxerrout;
10511 
10512             break;
10513 
10514          default:
10515             png_error(pp, "bad bit depth (internal: 1)");
10516          }
10517       }
10518 
10519       else if (d.this.colour_type == 2 || d.this.colour_type == 6)
10520       {
10521          switch (d.this.bit_depth)
10522          {
10523          case 8:
10524 
10525             if (d.maxerrout > d.pm->error_color_8)
10526                d.pm->error_color_8 = d.maxerrout;
10527 
10528             break;
10529 
10530          case 16:
10531 
10532             if (d.maxerrout > d.pm->error_color_16)
10533                d.pm->error_color_16 = d.maxerrout;
10534 
10535             break;
10536 
10537          default:
10538             png_error(pp, "bad bit depth (internal: 2)");
10539          }
10540       }
10541 
10542       else if (d.this.colour_type == 3)
10543       {
10544          if (d.maxerrout > d.pm->error_indexed)
10545             d.pm->error_indexed = d.maxerrout;
10546       }
10547    }
10548 
10549    Catch(fault)
10550       modifier_reset(voidcast(png_modifier*,(void*)fault));
10551 }
10552 
gamma_threshold_test(png_modifier * pm,png_byte colour_type,png_byte bit_depth,int interlace_type,double file_gamma,double screen_gamma)10553 static void gamma_threshold_test(png_modifier *pm, png_byte colour_type,
10554     png_byte bit_depth, int interlace_type, double file_gamma,
10555     double screen_gamma)
10556 {
10557    size_t pos = 0;
10558    char name[64];
10559    pos = safecat(name, sizeof name, pos, "threshold ");
10560    pos = safecatd(name, sizeof name, pos, file_gamma, 3);
10561    pos = safecat(name, sizeof name, pos, "/");
10562    pos = safecatd(name, sizeof name, pos, screen_gamma, 3);
10563 
10564    (void)gamma_test(pm, colour_type, bit_depth, 0/*palette*/, interlace_type,
10565       file_gamma, screen_gamma, 0/*sBIT*/, 1/*threshold test*/, name,
10566       0 /*no input precision*/,
10567       0 /*no scale16*/, 0 /*no expand16*/, 0 /*no background*/, 0 /*hence*/,
10568       0 /*no background gamma*/);
10569 }
10570 
10571 static void
perform_gamma_threshold_tests(png_modifier * pm)10572 perform_gamma_threshold_tests(png_modifier *pm)
10573 {
10574    png_byte colour_type = 0;
10575    png_byte bit_depth = 0;
10576    unsigned int palette_number = 0;
10577 
10578    /* Don't test more than one instance of each palette - it's pointless, in
10579     * fact this test is somewhat excessive since libpng doesn't make this
10580     * decision based on colour type or bit depth!
10581     *
10582     * CHANGED: now test two palettes and, as a side effect, images with and
10583     * without tRNS.
10584     */
10585    while (next_format(&colour_type, &bit_depth, &palette_number,
10586                       pm->test_lbg_gamma_threshold, pm->test_tRNS))
10587       if (palette_number < 2)
10588    {
10589       double test_gamma = 1.0;
10590       while (test_gamma >= .4)
10591       {
10592          /* There's little point testing the interlacing vs non-interlacing,
10593           * but this can be set from the command line.
10594           */
10595          gamma_threshold_test(pm, colour_type, bit_depth, pm->interlace_type,
10596             test_gamma, 1/test_gamma);
10597          test_gamma *= .95;
10598       }
10599 
10600       /* And a special test for sRGB */
10601       gamma_threshold_test(pm, colour_type, bit_depth, pm->interlace_type,
10602           .45455, 2.2);
10603 
10604       if (fail(pm))
10605          return;
10606    }
10607 }
10608 
gamma_transform_test(png_modifier * pm,const png_byte colour_type,const png_byte bit_depth,const int palette_number,const int interlace_type,const double file_gamma,const double screen_gamma,const png_byte sbit,const int use_input_precision,const int scale16)10609 static void gamma_transform_test(png_modifier *pm,
10610    const png_byte colour_type, const png_byte bit_depth,
10611    const int palette_number,
10612    const int interlace_type, const double file_gamma,
10613    const double screen_gamma, const png_byte sbit,
10614    const int use_input_precision, const int scale16)
10615 {
10616    size_t pos = 0;
10617    char name[64];
10618 
10619    if (sbit != bit_depth && sbit != 0)
10620    {
10621       pos = safecat(name, sizeof name, pos, "sbit(");
10622       pos = safecatn(name, sizeof name, pos, sbit);
10623       pos = safecat(name, sizeof name, pos, ") ");
10624    }
10625 
10626    else
10627       pos = safecat(name, sizeof name, pos, "gamma ");
10628 
10629    if (scale16)
10630       pos = safecat(name, sizeof name, pos, "16to8 ");
10631 
10632    pos = safecatd(name, sizeof name, pos, file_gamma, 3);
10633    pos = safecat(name, sizeof name, pos, "->");
10634    pos = safecatd(name, sizeof name, pos, screen_gamma, 3);
10635 
10636    gamma_test(pm, colour_type, bit_depth, palette_number, interlace_type,
10637       file_gamma, screen_gamma, sbit, 0, name, use_input_precision,
10638       scale16, pm->test_gamma_expand16, 0 , 0, 0);
10639 }
10640 
perform_gamma_transform_tests(png_modifier * pm)10641 static void perform_gamma_transform_tests(png_modifier *pm)
10642 {
10643    png_byte colour_type = 0;
10644    png_byte bit_depth = 0;
10645    unsigned int palette_number = 0;
10646 
10647    while (next_format(&colour_type, &bit_depth, &palette_number,
10648                       pm->test_lbg_gamma_transform, pm->test_tRNS))
10649    {
10650       unsigned int i, j;
10651 
10652       for (i=0; i<pm->ngamma_tests; ++i) for (j=0; j<pm->ngamma_tests; ++j)
10653          if (i != j)
10654          {
10655             gamma_transform_test(pm, colour_type, bit_depth, palette_number,
10656                pm->interlace_type, 1/pm->gammas[i], pm->gammas[j], 0/*sBIT*/,
10657                pm->use_input_precision, 0 /*do not scale16*/);
10658 
10659             if (fail(pm))
10660                return;
10661          }
10662    }
10663 }
10664 
perform_gamma_sbit_tests(png_modifier * pm)10665 static void perform_gamma_sbit_tests(png_modifier *pm)
10666 {
10667    png_byte sbit;
10668 
10669    /* The only interesting cases are colour and grayscale, alpha is ignored here
10670     * for overall speed.  Only bit depths where sbit is less than the bit depth
10671     * are tested.
10672     */
10673    for (sbit=pm->sbitlow; sbit<(1<<READ_BDHI); ++sbit)
10674    {
10675       png_byte colour_type = 0, bit_depth = 0;
10676       unsigned int npalette = 0;
10677 
10678       while (next_format(&colour_type, &bit_depth, &npalette,
10679                          pm->test_lbg_gamma_sbit, pm->test_tRNS))
10680          if ((colour_type & PNG_COLOR_MASK_ALPHA) == 0 &&
10681             ((colour_type == 3 && sbit < 8) ||
10682             (colour_type != 3 && sbit < bit_depth)))
10683       {
10684          unsigned int i;
10685 
10686          for (i=0; i<pm->ngamma_tests; ++i)
10687          {
10688             unsigned int j;
10689 
10690             for (j=0; j<pm->ngamma_tests; ++j) if (i != j)
10691             {
10692                gamma_transform_test(pm, colour_type, bit_depth, npalette,
10693                   pm->interlace_type, 1/pm->gammas[i], pm->gammas[j],
10694                   sbit, pm->use_input_precision_sbit, 0 /*scale16*/);
10695 
10696                if (fail(pm))
10697                   return;
10698             }
10699          }
10700       }
10701    }
10702 }
10703 
10704 /* Note that this requires a 16 bit source image but produces 8 bit output, so
10705  * we only need the 16bit write support, but the 16 bit images are only
10706  * generated if DO_16BIT is defined.
10707  */
10708 #ifdef DO_16BIT
perform_gamma_scale16_tests(png_modifier * pm)10709 static void perform_gamma_scale16_tests(png_modifier *pm)
10710 {
10711 #  ifndef PNG_MAX_GAMMA_8
10712 #     define PNG_MAX_GAMMA_8 11
10713 #  endif
10714 #  if defined PNG_MAX_GAMMA_8 || PNG_LIBPNG_VER < 10700
10715 #     define SBIT_16_TO_8 PNG_MAX_GAMMA_8
10716 #  else
10717 #     define SBIT_16_TO_8 16
10718 #  endif
10719    /* Include the alpha cases here. Note that sbit matches the internal value
10720     * used by the library - otherwise we will get spurious errors from the
10721     * internal sbit style approximation.
10722     *
10723     * The threshold test is here because otherwise the 16 to 8 conversion will
10724     * proceed *without* gamma correction, and the tests above will fail (but not
10725     * by much) - this could be fixed, it only appears with the -g option.
10726     */
10727    unsigned int i, j;
10728    for (i=0; i<pm->ngamma_tests; ++i)
10729    {
10730       for (j=0; j<pm->ngamma_tests; ++j)
10731       {
10732          if (i != j &&
10733              fabs(pm->gammas[j]/pm->gammas[i]-1) >= PNG_GAMMA_THRESHOLD)
10734          {
10735             gamma_transform_test(pm, 0, 16, 0, pm->interlace_type,
10736                1/pm->gammas[i], pm->gammas[j], SBIT_16_TO_8,
10737                pm->use_input_precision_16to8, 1 /*scale16*/);
10738 
10739             if (fail(pm))
10740                return;
10741 
10742             gamma_transform_test(pm, 2, 16, 0, pm->interlace_type,
10743                1/pm->gammas[i], pm->gammas[j], SBIT_16_TO_8,
10744                pm->use_input_precision_16to8, 1 /*scale16*/);
10745 
10746             if (fail(pm))
10747                return;
10748 
10749             gamma_transform_test(pm, 4, 16, 0, pm->interlace_type,
10750                1/pm->gammas[i], pm->gammas[j], SBIT_16_TO_8,
10751                pm->use_input_precision_16to8, 1 /*scale16*/);
10752 
10753             if (fail(pm))
10754                return;
10755 
10756             gamma_transform_test(pm, 6, 16, 0, pm->interlace_type,
10757                1/pm->gammas[i], pm->gammas[j], SBIT_16_TO_8,
10758                pm->use_input_precision_16to8, 1 /*scale16*/);
10759 
10760             if (fail(pm))
10761                return;
10762          }
10763       }
10764    }
10765 }
10766 #endif /* 16 to 8 bit conversion */
10767 
10768 #if defined(PNG_READ_BACKGROUND_SUPPORTED) ||\
10769    defined(PNG_READ_ALPHA_MODE_SUPPORTED)
gamma_composition_test(png_modifier * pm,const png_byte colour_type,const png_byte bit_depth,const int palette_number,const int interlace_type,const double file_gamma,const double screen_gamma,const int use_input_precision,const int do_background,const int expand_16)10770 static void gamma_composition_test(png_modifier *pm,
10771    const png_byte colour_type, const png_byte bit_depth,
10772    const int palette_number,
10773    const int interlace_type, const double file_gamma,
10774    const double screen_gamma,
10775    const int use_input_precision, const int do_background,
10776    const int expand_16)
10777 {
10778    size_t pos = 0;
10779    png_const_charp base;
10780    double bg;
10781    char name[128];
10782    png_color_16 background;
10783 
10784    /* Make up a name and get an appropriate background gamma value. */
10785    switch (do_background)
10786    {
10787       default:
10788          base = "";
10789          bg = 4; /* should not be used */
10790          break;
10791       case PNG_BACKGROUND_GAMMA_SCREEN:
10792          base = " bckg(Screen):";
10793          bg = 1/screen_gamma;
10794          break;
10795       case PNG_BACKGROUND_GAMMA_FILE:
10796          base = " bckg(File):";
10797          bg = file_gamma;
10798          break;
10799       case PNG_BACKGROUND_GAMMA_UNIQUE:
10800          base = " bckg(Unique):";
10801          /* This tests the handling of a unique value, the math is such that the
10802           * value tends to be <1, but is neither screen nor file (even if they
10803           * match!)
10804           */
10805          bg = (file_gamma + screen_gamma) / 3;
10806          break;
10807 #ifdef PNG_READ_ALPHA_MODE_SUPPORTED
10808       case ALPHA_MODE_OFFSET + PNG_ALPHA_PNG:
10809          base = " alpha(PNG)";
10810          bg = 4; /* should not be used */
10811          break;
10812       case ALPHA_MODE_OFFSET + PNG_ALPHA_STANDARD:
10813          base = " alpha(Porter-Duff)";
10814          bg = 4; /* should not be used */
10815          break;
10816       case ALPHA_MODE_OFFSET + PNG_ALPHA_OPTIMIZED:
10817          base = " alpha(Optimized)";
10818          bg = 4; /* should not be used */
10819          break;
10820       case ALPHA_MODE_OFFSET + PNG_ALPHA_BROKEN:
10821          base = " alpha(Broken)";
10822          bg = 4; /* should not be used */
10823          break;
10824 #endif
10825    }
10826 
10827    /* Use random background values - the background is always presented in the
10828     * output space (8 or 16 bit components).
10829     */
10830    if (expand_16 || bit_depth == 16)
10831    {
10832       png_uint_32 r = random_32();
10833 
10834       background.red = (png_uint_16)r;
10835       background.green = (png_uint_16)(r >> 16);
10836       r = random_32();
10837       background.blue = (png_uint_16)r;
10838       background.gray = (png_uint_16)(r >> 16);
10839 
10840       /* In earlier libpng versions, those where DIGITIZE is set, any background
10841        * gamma correction in the expand16 case was done using 8-bit gamma
10842        * correction tables, resulting in larger errors.  To cope with those
10843        * cases use a 16-bit background value which will handle this gamma
10844        * correction.
10845        */
10846 #     if DIGITIZE
10847          if (expand_16 && (do_background == PNG_BACKGROUND_GAMMA_UNIQUE ||
10848                            do_background == PNG_BACKGROUND_GAMMA_FILE) &&
10849             fabs(bg*screen_gamma-1) > PNG_GAMMA_THRESHOLD)
10850          {
10851             /* The background values will be looked up in an 8-bit table to do
10852              * the gamma correction, so only select values which are an exact
10853              * match for the 8-bit table entries:
10854              */
10855             background.red = (png_uint_16)((background.red >> 8) * 257);
10856             background.green = (png_uint_16)((background.green >> 8) * 257);
10857             background.blue = (png_uint_16)((background.blue >> 8) * 257);
10858             background.gray = (png_uint_16)((background.gray >> 8) * 257);
10859          }
10860 #     endif
10861    }
10862 
10863    else /* 8 bit colors */
10864    {
10865       png_uint_32 r = random_32();
10866 
10867       background.red = (png_byte)r;
10868       background.green = (png_byte)(r >> 8);
10869       background.blue = (png_byte)(r >> 16);
10870       background.gray = (png_byte)(r >> 24);
10871    }
10872 
10873    background.index = 193; /* rgb(193,193,193) to detect errors */
10874 
10875    if (!(colour_type & PNG_COLOR_MASK_COLOR))
10876    {
10877       /* Because, currently, png_set_background is always called with
10878        * 'need_expand' false in this case and because the gamma test itself
10879        * doesn't cause an expand to 8-bit for lower bit depths the colour must
10880        * be reduced to the correct range.
10881        */
10882       if (bit_depth < 8)
10883          background.gray &= (png_uint_16)((1U << bit_depth)-1);
10884 
10885       /* Grayscale input, we do not convert to RGB (TBD), so we must set the
10886        * background to gray - else libpng seems to fail.
10887        */
10888       background.red = background.green = background.blue = background.gray;
10889    }
10890 
10891    pos = safecat(name, sizeof name, pos, "gamma ");
10892    pos = safecatd(name, sizeof name, pos, file_gamma, 3);
10893    pos = safecat(name, sizeof name, pos, "->");
10894    pos = safecatd(name, sizeof name, pos, screen_gamma, 3);
10895 
10896    pos = safecat(name, sizeof name, pos, base);
10897    if (do_background < ALPHA_MODE_OFFSET)
10898    {
10899       /* Include the background color and gamma in the name: */
10900       pos = safecat(name, sizeof name, pos, "(");
10901       /* This assumes no expand gray->rgb - the current code won't handle that!
10902        */
10903       if (colour_type & PNG_COLOR_MASK_COLOR)
10904       {
10905          pos = safecatn(name, sizeof name, pos, background.red);
10906          pos = safecat(name, sizeof name, pos, ",");
10907          pos = safecatn(name, sizeof name, pos, background.green);
10908          pos = safecat(name, sizeof name, pos, ",");
10909          pos = safecatn(name, sizeof name, pos, background.blue);
10910       }
10911       else
10912          pos = safecatn(name, sizeof name, pos, background.gray);
10913       pos = safecat(name, sizeof name, pos, ")^");
10914       pos = safecatd(name, sizeof name, pos, bg, 3);
10915    }
10916 
10917    gamma_test(pm, colour_type, bit_depth, palette_number, interlace_type,
10918       file_gamma, screen_gamma, 0/*sBIT*/, 0, name, use_input_precision,
10919       0/*strip 16*/, expand_16, do_background, &background, bg);
10920 }
10921 
10922 
10923 static void
perform_gamma_composition_tests(png_modifier * pm,int do_background,int expand_16)10924 perform_gamma_composition_tests(png_modifier *pm, int do_background,
10925    int expand_16)
10926 {
10927    png_byte colour_type = 0;
10928    png_byte bit_depth = 0;
10929    unsigned int palette_number = 0;
10930 
10931    /* Skip the non-alpha cases - there is no setting of a transparency colour at
10932     * present.
10933     *
10934     * TODO: incorrect; the palette case sets tRNS and, now RGB and gray do,
10935     * however the palette case fails miserably so is commented out below.
10936     */
10937    while (next_format(&colour_type, &bit_depth, &palette_number,
10938                       pm->test_lbg_gamma_composition, pm->test_tRNS))
10939       if ((colour_type & PNG_COLOR_MASK_ALPHA) != 0
10940 #if 0 /* TODO: FIXME */
10941           /*TODO: FIXME: this should work */
10942           || colour_type == 3
10943 #endif
10944           || (colour_type != 3 && palette_number != 0))
10945    {
10946       unsigned int i, j;
10947 
10948       /* Don't skip the i==j case here - it's relevant. */
10949       for (i=0; i<pm->ngamma_tests; ++i) for (j=0; j<pm->ngamma_tests; ++j)
10950       {
10951          gamma_composition_test(pm, colour_type, bit_depth, palette_number,
10952             pm->interlace_type, 1/pm->gammas[i], pm->gammas[j],
10953             pm->use_input_precision, do_background, expand_16);
10954 
10955          if (fail(pm))
10956             return;
10957       }
10958    }
10959 }
10960 #endif /* READ_BACKGROUND || READ_ALPHA_MODE */
10961 
10962 static void
init_gamma_errors(png_modifier * pm)10963 init_gamma_errors(png_modifier *pm)
10964 {
10965    /* Use -1 to catch tests that were not actually run */
10966    pm->error_gray_2 = pm->error_gray_4 = pm->error_gray_8 = -1.;
10967    pm->error_color_8 = -1.;
10968    pm->error_indexed = -1.;
10969    pm->error_gray_16 = pm->error_color_16 = -1.;
10970 }
10971 
10972 static void
print_one(const char * leader,double err)10973 print_one(const char *leader, double err)
10974 {
10975    if (err != -1.)
10976       printf(" %s %.5f\n", leader, err);
10977 }
10978 
10979 static void
summarize_gamma_errors(png_modifier * pm,png_const_charp who,int low_bit_depth,int indexed)10980 summarize_gamma_errors(png_modifier *pm, png_const_charp who, int low_bit_depth,
10981    int indexed)
10982 {
10983    fflush(stderr);
10984 
10985    if (who)
10986       printf("\nGamma correction with %s:\n", who);
10987 
10988    else
10989       printf("\nBasic gamma correction:\n");
10990 
10991    if (low_bit_depth)
10992    {
10993       print_one(" 2 bit gray: ", pm->error_gray_2);
10994       print_one(" 4 bit gray: ", pm->error_gray_4);
10995       print_one(" 8 bit gray: ", pm->error_gray_8);
10996       print_one(" 8 bit color:", pm->error_color_8);
10997       if (indexed)
10998          print_one(" indexed:    ", pm->error_indexed);
10999    }
11000 
11001    print_one("16 bit gray: ", pm->error_gray_16);
11002    print_one("16 bit color:", pm->error_color_16);
11003 
11004    fflush(stdout);
11005 }
11006 
11007 static void
perform_gamma_test(png_modifier * pm,int summary)11008 perform_gamma_test(png_modifier *pm, int summary)
11009 {
11010    /*TODO: remove this*/
11011    /* Save certain values for the temporary overrides below. */
11012    unsigned int calculations_use_input_precision =
11013       pm->calculations_use_input_precision;
11014 #  ifdef PNG_READ_BACKGROUND_SUPPORTED
11015       double maxout8 = pm->maxout8;
11016 #  endif
11017 
11018    /* First some arbitrary no-transform tests: */
11019    if (!pm->this.speed && pm->test_gamma_threshold)
11020    {
11021       perform_gamma_threshold_tests(pm);
11022 
11023       if (fail(pm))
11024          return;
11025    }
11026 
11027    /* Now some real transforms. */
11028    if (pm->test_gamma_transform)
11029    {
11030       if (summary)
11031       {
11032          fflush(stderr);
11033          printf("Gamma correction error summary\n\n");
11034          printf("The printed value is the maximum error in the pixel values\n");
11035          printf("calculated by the libpng gamma correction code.  The error\n");
11036          printf("is calculated as the difference between the output pixel\n");
11037          printf("value (always an integer) and the ideal value from the\n");
11038          printf("libpng specification (typically not an integer).\n\n");
11039 
11040          printf("Expect this value to be less than .5 for 8 bit formats,\n");
11041          printf("less than 1 for formats with fewer than 8 bits and a small\n");
11042          printf("number (typically less than 5) for the 16 bit formats.\n");
11043          printf("For performance reasons the value for 16 bit formats\n");
11044          printf("increases when the image file includes an sBIT chunk.\n");
11045          fflush(stdout);
11046       }
11047 
11048       init_gamma_errors(pm);
11049       /*TODO: remove this.  Necessary because the current libpng
11050        * implementation works in 8 bits:
11051        */
11052       if (pm->test_gamma_expand16)
11053          pm->calculations_use_input_precision = 1;
11054       perform_gamma_transform_tests(pm);
11055       if (!calculations_use_input_precision)
11056          pm->calculations_use_input_precision = 0;
11057 
11058       if (summary)
11059          summarize_gamma_errors(pm, 0/*who*/, 1/*low bit depth*/, 1/*indexed*/);
11060 
11061       if (fail(pm))
11062          return;
11063    }
11064 
11065    /* The sbit tests produce much larger errors: */
11066    if (pm->test_gamma_sbit)
11067    {
11068       init_gamma_errors(pm);
11069       perform_gamma_sbit_tests(pm);
11070 
11071       if (summary)
11072          summarize_gamma_errors(pm, "sBIT", pm->sbitlow < 8U, 1/*indexed*/);
11073 
11074       if (fail(pm))
11075          return;
11076    }
11077 
11078 #ifdef DO_16BIT /* Should be READ_16BIT_SUPPORTED */
11079    if (pm->test_gamma_scale16)
11080    {
11081       /* The 16 to 8 bit strip operations: */
11082       init_gamma_errors(pm);
11083       perform_gamma_scale16_tests(pm);
11084 
11085       if (summary)
11086       {
11087          fflush(stderr);
11088          printf("\nGamma correction with 16 to 8 bit reduction:\n");
11089          printf(" 16 bit gray:  %.5f\n", pm->error_gray_16);
11090          printf(" 16 bit color: %.5f\n", pm->error_color_16);
11091          fflush(stdout);
11092       }
11093 
11094       if (fail(pm))
11095          return;
11096    }
11097 #endif
11098 
11099 #ifdef PNG_READ_BACKGROUND_SUPPORTED
11100    if (pm->test_gamma_background)
11101    {
11102       init_gamma_errors(pm);
11103 
11104       /*TODO: remove this.  Necessary because the current libpng
11105        * implementation works in 8 bits:
11106        */
11107       if (pm->test_gamma_expand16)
11108       {
11109          pm->calculations_use_input_precision = 1;
11110          pm->maxout8 = .499; /* because the 16 bit background is smashed */
11111       }
11112       perform_gamma_composition_tests(pm, PNG_BACKGROUND_GAMMA_UNIQUE,
11113          pm->test_gamma_expand16);
11114       if (!calculations_use_input_precision)
11115          pm->calculations_use_input_precision = 0;
11116       pm->maxout8 = maxout8;
11117 
11118       if (summary)
11119          summarize_gamma_errors(pm, "background", 1, 0/*indexed*/);
11120 
11121       if (fail(pm))
11122          return;
11123    }
11124 #endif
11125 
11126 #ifdef PNG_READ_ALPHA_MODE_SUPPORTED
11127    if (pm->test_gamma_alpha_mode)
11128    {
11129       int do_background;
11130 
11131       init_gamma_errors(pm);
11132 
11133       /*TODO: remove this.  Necessary because the current libpng
11134        * implementation works in 8 bits:
11135        */
11136       if (pm->test_gamma_expand16)
11137          pm->calculations_use_input_precision = 1;
11138       for (do_background = ALPHA_MODE_OFFSET + PNG_ALPHA_STANDARD;
11139          do_background <= ALPHA_MODE_OFFSET + PNG_ALPHA_BROKEN && !fail(pm);
11140          ++do_background)
11141          perform_gamma_composition_tests(pm, do_background,
11142             pm->test_gamma_expand16);
11143       if (!calculations_use_input_precision)
11144          pm->calculations_use_input_precision = 0;
11145 
11146       if (summary)
11147          summarize_gamma_errors(pm, "alpha mode", 1, 0/*indexed*/);
11148 
11149       if (fail(pm))
11150          return;
11151    }
11152 #endif
11153 }
11154 #endif /* PNG_READ_GAMMA_SUPPORTED */
11155 #endif /* PNG_READ_SUPPORTED */
11156 
11157 /* INTERLACE MACRO VALIDATION */
11158 /* This is copied verbatim from the specification, it is simply the pass
11159  * number in which each pixel in each 8x8 tile appears.  The array must
11160  * be indexed adam7[y][x] and notice that the pass numbers are based at
11161  * 1, not 0 - the base libpng uses.
11162  */
11163 static const
11164 png_byte adam7[8][8] =
11165 {
11166    { 1,6,4,6,2,6,4,6 },
11167    { 7,7,7,7,7,7,7,7 },
11168    { 5,6,5,6,5,6,5,6 },
11169    { 7,7,7,7,7,7,7,7 },
11170    { 3,6,4,6,3,6,4,6 },
11171    { 7,7,7,7,7,7,7,7 },
11172    { 5,6,5,6,5,6,5,6 },
11173    { 7,7,7,7,7,7,7,7 }
11174 };
11175 
11176 /* This routine validates all the interlace support macros in png.h for
11177  * a variety of valid PNG widths and heights.  It uses a number of similarly
11178  * named internal routines that feed off the above array.
11179  */
11180 static png_uint_32
png_pass_start_row(int pass)11181 png_pass_start_row(int pass)
11182 {
11183    int x, y;
11184    ++pass;
11185    for (y=0; y<8; ++y) for (x=0; x<8; ++x) if (adam7[y][x] == pass)
11186       return y;
11187    return 0xf;
11188 }
11189 
11190 static png_uint_32
png_pass_start_col(int pass)11191 png_pass_start_col(int pass)
11192 {
11193    int x, y;
11194    ++pass;
11195    for (x=0; x<8; ++x) for (y=0; y<8; ++y) if (adam7[y][x] == pass)
11196       return x;
11197    return 0xf;
11198 }
11199 
11200 static int
png_pass_row_shift(int pass)11201 png_pass_row_shift(int pass)
11202 {
11203    int x, y, base=(-1), inc=8;
11204    ++pass;
11205    for (y=0; y<8; ++y) for (x=0; x<8; ++x) if (adam7[y][x] == pass)
11206    {
11207       if (base == (-1))
11208          base = y;
11209       else if (base == y)
11210          {}
11211       else if (inc == y-base)
11212          base=y;
11213       else if (inc == 8)
11214          inc = y-base, base=y;
11215       else if (inc != y-base)
11216          return 0xff; /* error - more than one 'inc' value! */
11217    }
11218 
11219    if (base == (-1)) return 0xfe; /* error - no row in pass! */
11220 
11221    /* The shift is always 1, 2 or 3 - no pass has all the rows! */
11222    switch (inc)
11223    {
11224 case 2: return 1;
11225 case 4: return 2;
11226 case 8: return 3;
11227 default: break;
11228    }
11229 
11230    /* error - unrecognized 'inc' */
11231    return (inc << 8) + 0xfd;
11232 }
11233 
11234 static int
png_pass_col_shift(int pass)11235 png_pass_col_shift(int pass)
11236 {
11237    int x, y, base=(-1), inc=8;
11238    ++pass;
11239    for (x=0; x<8; ++x) for (y=0; y<8; ++y) if (adam7[y][x] == pass)
11240    {
11241       if (base == (-1))
11242          base = x;
11243       else if (base == x)
11244          {}
11245       else if (inc == x-base)
11246          base=x;
11247       else if (inc == 8)
11248          inc = x-base, base=x;
11249       else if (inc != x-base)
11250          return 0xff; /* error - more than one 'inc' value! */
11251    }
11252 
11253    if (base == (-1)) return 0xfe; /* error - no row in pass! */
11254 
11255    /* The shift is always 1, 2 or 3 - no pass has all the rows! */
11256    switch (inc)
11257    {
11258 case 1: return 0; /* pass 7 has all the columns */
11259 case 2: return 1;
11260 case 4: return 2;
11261 case 8: return 3;
11262 default: break;
11263    }
11264 
11265    /* error - unrecognized 'inc' */
11266    return (inc << 8) + 0xfd;
11267 }
11268 
11269 static png_uint_32
png_row_from_pass_row(png_uint_32 yIn,int pass)11270 png_row_from_pass_row(png_uint_32 yIn, int pass)
11271 {
11272    /* By examination of the array: */
11273    switch (pass)
11274    {
11275 case 0: return yIn * 8;
11276 case 1: return yIn * 8;
11277 case 2: return yIn * 8 + 4;
11278 case 3: return yIn * 4;
11279 case 4: return yIn * 4 + 2;
11280 case 5: return yIn * 2;
11281 case 6: return yIn * 2 + 1;
11282 default: break;
11283    }
11284 
11285    return 0xff; /* bad pass number */
11286 }
11287 
11288 static png_uint_32
png_col_from_pass_col(png_uint_32 xIn,int pass)11289 png_col_from_pass_col(png_uint_32 xIn, int pass)
11290 {
11291    /* By examination of the array: */
11292    switch (pass)
11293    {
11294 case 0: return xIn * 8;
11295 case 1: return xIn * 8 + 4;
11296 case 2: return xIn * 4;
11297 case 3: return xIn * 4 + 2;
11298 case 4: return xIn * 2;
11299 case 5: return xIn * 2 + 1;
11300 case 6: return xIn;
11301 default: break;
11302    }
11303 
11304    return 0xff; /* bad pass number */
11305 }
11306 
11307 static int
png_row_in_interlace_pass(png_uint_32 y,int pass)11308 png_row_in_interlace_pass(png_uint_32 y, int pass)
11309 {
11310    /* Is row 'y' in pass 'pass'? */
11311    int x;
11312    y &= 7;
11313    ++pass;
11314    for (x=0; x<8; ++x) if (adam7[y][x] == pass)
11315       return 1;
11316 
11317    return 0;
11318 }
11319 
11320 static int
png_col_in_interlace_pass(png_uint_32 x,int pass)11321 png_col_in_interlace_pass(png_uint_32 x, int pass)
11322 {
11323    /* Is column 'x' in pass 'pass'? */
11324    int y;
11325    x &= 7;
11326    ++pass;
11327    for (y=0; y<8; ++y) if (adam7[y][x] == pass)
11328       return 1;
11329 
11330    return 0;
11331 }
11332 
11333 static png_uint_32
png_pass_rows(png_uint_32 height,int pass)11334 png_pass_rows(png_uint_32 height, int pass)
11335 {
11336    png_uint_32 tiles = height>>3;
11337    png_uint_32 rows = 0;
11338    unsigned int x, y;
11339 
11340    height &= 7;
11341    ++pass;
11342    for (y=0; y<8; ++y) for (x=0; x<8; ++x) if (adam7[y][x] == pass)
11343    {
11344       rows += tiles;
11345       if (y < height) ++rows;
11346       break; /* i.e. break the 'x', column, loop. */
11347    }
11348 
11349    return rows;
11350 }
11351 
11352 static png_uint_32
png_pass_cols(png_uint_32 width,int pass)11353 png_pass_cols(png_uint_32 width, int pass)
11354 {
11355    png_uint_32 tiles = width>>3;
11356    png_uint_32 cols = 0;
11357    unsigned int x, y;
11358 
11359    width &= 7;
11360    ++pass;
11361    for (x=0; x<8; ++x) for (y=0; y<8; ++y) if (adam7[y][x] == pass)
11362    {
11363       cols += tiles;
11364       if (x < width) ++cols;
11365       break; /* i.e. break the 'y', row, loop. */
11366    }
11367 
11368    return cols;
11369 }
11370 
11371 static void
perform_interlace_macro_validation(void)11372 perform_interlace_macro_validation(void)
11373 {
11374    /* The macros to validate, first those that depend only on pass:
11375     *
11376     * PNG_PASS_START_ROW(pass)
11377     * PNG_PASS_START_COL(pass)
11378     * PNG_PASS_ROW_SHIFT(pass)
11379     * PNG_PASS_COL_SHIFT(pass)
11380     */
11381    int pass;
11382 
11383    for (pass=0; pass<7; ++pass)
11384    {
11385       png_uint_32 m, f, v;
11386 
11387       m = PNG_PASS_START_ROW(pass);
11388       f = png_pass_start_row(pass);
11389       if (m != f)
11390       {
11391          fprintf(stderr, "PNG_PASS_START_ROW(%d) = %u != %x\n", pass, m, f);
11392          exit(99);
11393       }
11394 
11395       m = PNG_PASS_START_COL(pass);
11396       f = png_pass_start_col(pass);
11397       if (m != f)
11398       {
11399          fprintf(stderr, "PNG_PASS_START_COL(%d) = %u != %x\n", pass, m, f);
11400          exit(99);
11401       }
11402 
11403       m = PNG_PASS_ROW_SHIFT(pass);
11404       f = png_pass_row_shift(pass);
11405       if (m != f)
11406       {
11407          fprintf(stderr, "PNG_PASS_ROW_SHIFT(%d) = %u != %x\n", pass, m, f);
11408          exit(99);
11409       }
11410 
11411       m = PNG_PASS_COL_SHIFT(pass);
11412       f = png_pass_col_shift(pass);
11413       if (m != f)
11414       {
11415          fprintf(stderr, "PNG_PASS_COL_SHIFT(%d) = %u != %x\n", pass, m, f);
11416          exit(99);
11417       }
11418 
11419       /* Macros that depend on the image or sub-image height too:
11420        *
11421        * PNG_PASS_ROWS(height, pass)
11422        * PNG_PASS_COLS(width, pass)
11423        * PNG_ROW_FROM_PASS_ROW(yIn, pass)
11424        * PNG_COL_FROM_PASS_COL(xIn, pass)
11425        * PNG_ROW_IN_INTERLACE_PASS(y, pass)
11426        * PNG_COL_IN_INTERLACE_PASS(x, pass)
11427        */
11428       for (v=0;;)
11429       {
11430          /* First the base 0 stuff: */
11431          m = PNG_ROW_FROM_PASS_ROW(v, pass);
11432          f = png_row_from_pass_row(v, pass);
11433          if (m != f)
11434          {
11435             fprintf(stderr, "PNG_ROW_FROM_PASS_ROW(%u, %d) = %u != %x\n",
11436                v, pass, m, f);
11437             exit(99);
11438          }
11439 
11440          m = PNG_COL_FROM_PASS_COL(v, pass);
11441          f = png_col_from_pass_col(v, pass);
11442          if (m != f)
11443          {
11444             fprintf(stderr, "PNG_COL_FROM_PASS_COL(%u, %d) = %u != %x\n",
11445                v, pass, m, f);
11446             exit(99);
11447          }
11448 
11449          m = PNG_ROW_IN_INTERLACE_PASS(v, pass);
11450          f = png_row_in_interlace_pass(v, pass);
11451          if (m != f)
11452          {
11453             fprintf(stderr, "PNG_ROW_IN_INTERLACE_PASS(%u, %d) = %u != %x\n",
11454                v, pass, m, f);
11455             exit(99);
11456          }
11457 
11458          m = PNG_COL_IN_INTERLACE_PASS(v, pass);
11459          f = png_col_in_interlace_pass(v, pass);
11460          if (m != f)
11461          {
11462             fprintf(stderr, "PNG_COL_IN_INTERLACE_PASS(%u, %d) = %u != %x\n",
11463                v, pass, m, f);
11464             exit(99);
11465          }
11466 
11467          /* Then the base 1 stuff: */
11468          ++v;
11469          m = PNG_PASS_ROWS(v, pass);
11470          f = png_pass_rows(v, pass);
11471          if (m != f)
11472          {
11473             fprintf(stderr, "PNG_PASS_ROWS(%u, %d) = %u != %x\n",
11474                v, pass, m, f);
11475             exit(99);
11476          }
11477 
11478          m = PNG_PASS_COLS(v, pass);
11479          f = png_pass_cols(v, pass);
11480          if (m != f)
11481          {
11482             fprintf(stderr, "PNG_PASS_COLS(%u, %d) = %u != %x\n",
11483                v, pass, m, f);
11484             exit(99);
11485          }
11486 
11487          /* Move to the next v - the stepping algorithm starts skipping
11488           * values above 1024.
11489           */
11490          if (v > 1024)
11491          {
11492             if (v == PNG_UINT_31_MAX)
11493                break;
11494 
11495             v = (v << 1) ^ v;
11496             if (v >= PNG_UINT_31_MAX)
11497                v = PNG_UINT_31_MAX-1;
11498          }
11499       }
11500    }
11501 }
11502 
11503 /* Test color encodings. These values are back-calculated from the published
11504  * chromaticities.  The values are accurate to about 14 decimal places; 15 are
11505  * given.  These values are much more accurate than the ones given in the spec,
11506  * which typically don't exceed 4 decimal places.  This allows testing of the
11507  * libpng code to its theoretical accuracy of 4 decimal places.  (If pngvalid
11508  * used the published errors the 'slack' permitted would have to be +/-.5E-4 or
11509  * more.)
11510  *
11511  * The png_modifier code assumes that encodings[0] is sRGB and treats it
11512  * specially: do not change the first entry in this list!
11513  */
11514 static const color_encoding test_encodings[] =
11515 {
11516 /* sRGB: must be first in this list! */
11517 /*gamma:*/ { 1/2.2,
11518 /*red:  */ { 0.412390799265959, 0.212639005871510, 0.019330818715592 },
11519 /*green:*/ { 0.357584339383878, 0.715168678767756, 0.119194779794626 },
11520 /*blue: */ { 0.180480788401834, 0.072192315360734, 0.950532152249660} },
11521 /* Kodak ProPhoto (wide gamut) */
11522 /*gamma:*/ { 1/1.6 /*approximate: uses 1.8 power law compared to sRGB 2.4*/,
11523 /*red:  */ { 0.797760489672303, 0.288071128229293, 0.000000000000000 },
11524 /*green:*/ { 0.135185837175740, 0.711843217810102, 0.000000000000000 },
11525 /*blue: */ { 0.031349349581525, 0.000085653960605, 0.825104602510460} },
11526 /* Adobe RGB (1998) */
11527 /*gamma:*/ { 1/(2+51./256),
11528 /*red:  */ { 0.576669042910131, 0.297344975250536, 0.027031361386412 },
11529 /*green:*/ { 0.185558237906546, 0.627363566255466, 0.070688852535827 },
11530 /*blue: */ { 0.188228646234995, 0.075291458493998, 0.991337536837639} },
11531 /* Adobe Wide Gamut RGB */
11532 /*gamma:*/ { 1/(2+51./256),
11533 /*red:  */ { 0.716500716779386, 0.258728243040113, 0.000000000000000 },
11534 /*green:*/ { 0.101020574397477, 0.724682314948566, 0.051211818965388 },
11535 /*blue: */ { 0.146774385252705, 0.016589442011321, 0.773892783545073} },
11536 /* Fake encoding which selects just the green channel */
11537 /*gamma:*/ { 1.45/2.2, /* the 'Mac' gamma */
11538 /*red:  */ { 0.716500716779386, 0.000000000000000, 0.000000000000000 },
11539 /*green:*/ { 0.101020574397477, 1.000000000000000, 0.051211818965388 },
11540 /*blue: */ { 0.146774385252705, 0.000000000000000, 0.773892783545073} },
11541 };
11542 
11543 /* signal handler
11544  *
11545  * This attempts to trap signals and escape without crashing.  It needs a
11546  * context pointer so that it can throw an exception (call longjmp) to recover
11547  * from the condition; this is handled by making the png_modifier used by 'main'
11548  * into a global variable.
11549  */
11550 static png_modifier pm;
11551 
signal_handler(int signum)11552 static void signal_handler(int signum)
11553 {
11554 
11555    size_t pos = 0;
11556    char msg[64];
11557 
11558    pos = safecat(msg, sizeof msg, pos, "caught signal: ");
11559 
11560    switch (signum)
11561    {
11562       case SIGABRT:
11563          pos = safecat(msg, sizeof msg, pos, "abort");
11564          break;
11565 
11566       case SIGFPE:
11567          pos = safecat(msg, sizeof msg, pos, "floating point exception");
11568          break;
11569 
11570       case SIGILL:
11571          pos = safecat(msg, sizeof msg, pos, "illegal instruction");
11572          break;
11573 
11574       case SIGINT:
11575          pos = safecat(msg, sizeof msg, pos, "interrupt");
11576          break;
11577 
11578       case SIGSEGV:
11579          pos = safecat(msg, sizeof msg, pos, "invalid memory access");
11580          break;
11581 
11582       case SIGTERM:
11583          pos = safecat(msg, sizeof msg, pos, "termination request");
11584          break;
11585 
11586       default:
11587          pos = safecat(msg, sizeof msg, pos, "unknown ");
11588          pos = safecatn(msg, sizeof msg, pos, signum);
11589          break;
11590    }
11591 
11592    store_log(&pm.this, NULL/*png_structp*/, msg, 1/*error*/);
11593 
11594    /* And finally throw an exception so we can keep going, unless this is
11595     * SIGTERM in which case stop now.
11596     */
11597    if (signum != SIGTERM)
11598    {
11599       struct exception_context *the_exception_context =
11600          &pm.this.exception_context;
11601 
11602       Throw &pm.this;
11603    }
11604 
11605    else
11606       exit(1);
11607 }
11608 
11609 /* main program */
main(int argc,char ** argv)11610 int main(int argc, char **argv)
11611 {
11612    int summary = 1;  /* Print the error summary at the end */
11613    int memstats = 0; /* Print memory statistics at the end */
11614 
11615    /* Create the given output file on success: */
11616    const char *touch = NULL;
11617 
11618    /* This is an array of standard gamma values (believe it or not I've seen
11619     * every one of these mentioned somewhere.)
11620     *
11621     * In the following list the most useful values are first!
11622     */
11623    static double
11624       gammas[]={2.2, 1.0, 2.2/1.45, 1.8, 1.5, 2.4, 2.5, 2.62, 2.9};
11625 
11626    /* This records the command and arguments: */
11627    size_t cp = 0;
11628    char command[1024];
11629 
11630    anon_context(&pm.this);
11631 
11632    gnu_volatile(summary)
11633    gnu_volatile(memstats)
11634    gnu_volatile(touch)
11635 
11636    /* Add appropriate signal handlers, just the ANSI specified ones: */
11637    signal(SIGABRT, signal_handler);
11638    signal(SIGFPE, signal_handler);
11639    signal(SIGILL, signal_handler);
11640    signal(SIGINT, signal_handler);
11641    signal(SIGSEGV, signal_handler);
11642    signal(SIGTERM, signal_handler);
11643 
11644 #ifdef HAVE_FEENABLEEXCEPT
11645    /* Only required to enable FP exceptions on platforms where they start off
11646     * disabled; this is not necessary but if it is not done pngvalid will likely
11647     * end up ignoring FP conditions that other platforms fault.
11648     */
11649    feenableexcept(FE_DIVBYZERO | FE_INVALID | FE_OVERFLOW);
11650 #endif
11651 
11652    modifier_init(&pm);
11653 
11654    /* Preallocate the image buffer, because we know how big it needs to be,
11655     * note that, for testing purposes, it is deliberately mis-aligned by tag
11656     * bytes either side.  All rows have an additional five bytes of padding for
11657     * overwrite checking.
11658     */
11659    store_ensure_image(&pm.this, NULL, 2, TRANSFORM_ROWMAX, TRANSFORM_HEIGHTMAX);
11660 
11661    /* Don't give argv[0], it's normally some horrible libtool string: */
11662    cp = safecat(command, sizeof command, cp, "pngvalid");
11663 
11664    /* Default to error on warning: */
11665    pm.this.treat_warnings_as_errors = 1;
11666 
11667    /* Default assume_16_bit_calculations appropriately; this tells the checking
11668     * code that 16-bit arithmetic is used for 8-bit samples when it would make a
11669     * difference.
11670     */
11671    pm.assume_16_bit_calculations = PNG_LIBPNG_VER >= 10700;
11672 
11673    /* Currently 16 bit expansion happens at the end of the pipeline, so the
11674     * calculations are done in the input bit depth not the output.
11675     *
11676     * TODO: fix this
11677     */
11678    pm.calculations_use_input_precision = 1U;
11679 
11680    /* Store the test gammas */
11681    pm.gammas = gammas;
11682    pm.ngammas = ARRAY_SIZE(gammas);
11683    pm.ngamma_tests = 0; /* default to off */
11684 
11685    /* Low bit depth gray images don't do well in the gamma tests, until
11686     * this is fixed turn them off for some gamma cases:
11687     */
11688 #  ifdef PNG_WRITE_tRNS_SUPPORTED
11689       pm.test_tRNS = 1;
11690 #  endif
11691    pm.test_lbg = PNG_LIBPNG_VER >= 10600;
11692    pm.test_lbg_gamma_threshold = 1;
11693    pm.test_lbg_gamma_transform = PNG_LIBPNG_VER >= 10600;
11694    pm.test_lbg_gamma_sbit = 1;
11695    pm.test_lbg_gamma_composition = PNG_LIBPNG_VER >= 10700;
11696 
11697    /* And the test encodings */
11698    pm.encodings = test_encodings;
11699    pm.nencodings = ARRAY_SIZE(test_encodings);
11700 
11701 #  if PNG_LIBPNG_VER < 10700
11702       pm.sbitlow = 8U; /* because libpng doesn't do sBIT below 8! */
11703 #  else
11704       pm.sbitlow = 1U;
11705 #  endif
11706 
11707    /* The following allows results to pass if they correspond to anything in the
11708     * transformed range [input-.5,input+.5]; this is is required because of the
11709     * way libpng treates the 16_TO_8 flag when building the gamma tables in
11710     * releases up to 1.6.0.
11711     *
11712     * TODO: review this
11713     */
11714    pm.use_input_precision_16to8 = 1U;
11715    pm.use_input_precision_sbit = 1U; /* because libpng now rounds sBIT */
11716 
11717    /* Some default values (set the behavior for 'make check' here).
11718     * These values simply control the maximum error permitted in the gamma
11719     * transformations.  The practial limits for human perception are described
11720     * below (the setting for maxpc16), however for 8 bit encodings it isn't
11721     * possible to meet the accepted capabilities of human vision - i.e. 8 bit
11722     * images can never be good enough, regardless of encoding.
11723     */
11724    pm.maxout8 = .1;     /* Arithmetic error in *encoded* value */
11725    pm.maxabs8 = .00005; /* 1/20000 */
11726    pm.maxcalc8 = 1./255;  /* +/-1 in 8 bits for compose errors */
11727    pm.maxpc8 = .499;    /* I.e., .499% fractional error */
11728    pm.maxout16 = .499;  /* Error in *encoded* value */
11729    pm.maxabs16 = .00005;/* 1/20000 */
11730    pm.maxcalc16 =1./65535;/* +/-1 in 16 bits for compose errors */
11731 #  if PNG_LIBPNG_VER < 10700
11732       pm.maxcalcG = 1./((1<<PNG_MAX_GAMMA_8)-1);
11733 #  else
11734       pm.maxcalcG = 1./((1<<16)-1);
11735 #  endif
11736 
11737    /* NOTE: this is a reasonable perceptual limit. We assume that humans can
11738     * perceive light level differences of 1% over a 100:1 range, so we need to
11739     * maintain 1 in 10000 accuracy (in linear light space), which is what the
11740     * following guarantees.  It also allows significantly higher errors at
11741     * higher 16 bit values, which is important for performance.  The actual
11742     * maximum 16 bit error is about +/-1.9 in the fixed point implementation but
11743     * this is only allowed for values >38149 by the following:
11744     */
11745    pm.maxpc16 = .005;   /* I.e., 1/200% - 1/20000 */
11746 
11747    /* Now parse the command line options. */
11748    while (--argc >= 1)
11749    {
11750       int catmore = 0; /* Set if the argument has an argument. */
11751 
11752       /* Record each argument for posterity: */
11753       cp = safecat(command, sizeof command, cp, " ");
11754       cp = safecat(command, sizeof command, cp, *++argv);
11755 
11756       if (strcmp(*argv, "-v") == 0)
11757          pm.this.verbose = 1;
11758 
11759       else if (strcmp(*argv, "-l") == 0)
11760          pm.log = 1;
11761 
11762       else if (strcmp(*argv, "-q") == 0)
11763          summary = pm.this.verbose = pm.log = 0;
11764 
11765       else if (strcmp(*argv, "-w") == 0 ||
11766                strcmp(*argv, "--strict") == 0)
11767          pm.this.treat_warnings_as_errors = 1; /* NOTE: this is the default! */
11768 
11769       else if (strcmp(*argv, "--nostrict") == 0)
11770          pm.this.treat_warnings_as_errors = 0;
11771 
11772       else if (strcmp(*argv, "--speed") == 0)
11773          pm.this.speed = 1, pm.ngamma_tests = pm.ngammas, pm.test_standard = 0,
11774             summary = 0;
11775 
11776       else if (strcmp(*argv, "--memory") == 0)
11777          memstats = 1;
11778 
11779       else if (strcmp(*argv, "--size") == 0)
11780          pm.test_size = 1;
11781 
11782       else if (strcmp(*argv, "--nosize") == 0)
11783          pm.test_size = 0;
11784 
11785       else if (strcmp(*argv, "--standard") == 0)
11786          pm.test_standard = 1;
11787 
11788       else if (strcmp(*argv, "--nostandard") == 0)
11789          pm.test_standard = 0;
11790 
11791       else if (strcmp(*argv, "--transform") == 0)
11792          pm.test_transform = 1;
11793 
11794       else if (strcmp(*argv, "--notransform") == 0)
11795          pm.test_transform = 0;
11796 
11797 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
11798       else if (strncmp(*argv, "--transform-disable=",
11799          sizeof "--transform-disable") == 0)
11800          {
11801          pm.test_transform = 1;
11802          transform_disable(*argv + sizeof "--transform-disable");
11803          }
11804 
11805       else if (strncmp(*argv, "--transform-enable=",
11806          sizeof "--transform-enable") == 0)
11807          {
11808          pm.test_transform = 1;
11809          transform_enable(*argv + sizeof "--transform-enable");
11810          }
11811 #endif /* PNG_READ_TRANSFORMS_SUPPORTED */
11812 
11813       else if (strcmp(*argv, "--gamma") == 0)
11814          {
11815          /* Just do two gamma tests here (2.2 and linear) for speed: */
11816          pm.ngamma_tests = 2U;
11817          pm.test_gamma_threshold = 1;
11818          pm.test_gamma_transform = 1;
11819          pm.test_gamma_sbit = 1;
11820          pm.test_gamma_scale16 = 1;
11821          pm.test_gamma_background = 1; /* composition */
11822          pm.test_gamma_alpha_mode = 1;
11823          }
11824 
11825       else if (strcmp(*argv, "--nogamma") == 0)
11826          pm.ngamma_tests = 0;
11827 
11828       else if (strcmp(*argv, "--gamma-threshold") == 0)
11829          pm.ngamma_tests = 2U, pm.test_gamma_threshold = 1;
11830 
11831       else if (strcmp(*argv, "--nogamma-threshold") == 0)
11832          pm.test_gamma_threshold = 0;
11833 
11834       else if (strcmp(*argv, "--gamma-transform") == 0)
11835          pm.ngamma_tests = 2U, pm.test_gamma_transform = 1;
11836 
11837       else if (strcmp(*argv, "--nogamma-transform") == 0)
11838          pm.test_gamma_transform = 0;
11839 
11840       else if (strcmp(*argv, "--gamma-sbit") == 0)
11841          pm.ngamma_tests = 2U, pm.test_gamma_sbit = 1;
11842 
11843       else if (strcmp(*argv, "--nogamma-sbit") == 0)
11844          pm.test_gamma_sbit = 0;
11845 
11846       else if (strcmp(*argv, "--gamma-16-to-8") == 0)
11847          pm.ngamma_tests = 2U, pm.test_gamma_scale16 = 1;
11848 
11849       else if (strcmp(*argv, "--nogamma-16-to-8") == 0)
11850          pm.test_gamma_scale16 = 0;
11851 
11852       else if (strcmp(*argv, "--gamma-background") == 0)
11853          pm.ngamma_tests = 2U, pm.test_gamma_background = 1;
11854 
11855       else if (strcmp(*argv, "--nogamma-background") == 0)
11856          pm.test_gamma_background = 0;
11857 
11858       else if (strcmp(*argv, "--gamma-alpha-mode") == 0)
11859          pm.ngamma_tests = 2U, pm.test_gamma_alpha_mode = 1;
11860 
11861       else if (strcmp(*argv, "--nogamma-alpha-mode") == 0)
11862          pm.test_gamma_alpha_mode = 0;
11863 
11864       else if (strcmp(*argv, "--expand16") == 0)
11865          pm.test_gamma_expand16 = 1;
11866 
11867       else if (strcmp(*argv, "--noexpand16") == 0)
11868          pm.test_gamma_expand16 = 0;
11869 
11870       else if (strcmp(*argv, "--low-depth-gray") == 0)
11871          pm.test_lbg = pm.test_lbg_gamma_threshold =
11872             pm.test_lbg_gamma_transform = pm.test_lbg_gamma_sbit =
11873             pm.test_lbg_gamma_composition = 1;
11874 
11875       else if (strcmp(*argv, "--nolow-depth-gray") == 0)
11876          pm.test_lbg = pm.test_lbg_gamma_threshold =
11877             pm.test_lbg_gamma_transform = pm.test_lbg_gamma_sbit =
11878             pm.test_lbg_gamma_composition = 0;
11879 
11880 #     ifdef PNG_WRITE_tRNS_SUPPORTED
11881          else if (strcmp(*argv, "--tRNS") == 0)
11882             pm.test_tRNS = 1;
11883 #     endif
11884 
11885       else if (strcmp(*argv, "--notRNS") == 0)
11886          pm.test_tRNS = 0;
11887 
11888       else if (strcmp(*argv, "--more-gammas") == 0)
11889          pm.ngamma_tests = 3U;
11890 
11891       else if (strcmp(*argv, "--all-gammas") == 0)
11892          pm.ngamma_tests = pm.ngammas;
11893 
11894       else if (strcmp(*argv, "--progressive-read") == 0)
11895          pm.this.progressive = 1;
11896 
11897       else if (strcmp(*argv, "--use-update-info") == 0)
11898          ++pm.use_update_info; /* Can call multiple times */
11899 
11900       else if (strcmp(*argv, "--interlace") == 0)
11901       {
11902 #        if CAN_WRITE_INTERLACE
11903             pm.interlace_type = PNG_INTERLACE_ADAM7;
11904 #        else /* !CAN_WRITE_INTERLACE */
11905             fprintf(stderr, "pngvalid: no write interlace support\n");
11906             return SKIP;
11907 #        endif /* !CAN_WRITE_INTERLACE */
11908       }
11909 
11910       else if (strcmp(*argv, "--use-input-precision") == 0)
11911          pm.use_input_precision = 1U;
11912 
11913       else if (strcmp(*argv, "--use-calculation-precision") == 0)
11914          pm.use_input_precision = 0;
11915 
11916       else if (strcmp(*argv, "--calculations-use-input-precision") == 0)
11917          pm.calculations_use_input_precision = 1U;
11918 
11919       else if (strcmp(*argv, "--assume-16-bit-calculations") == 0)
11920          pm.assume_16_bit_calculations = 1U;
11921 
11922       else if (strcmp(*argv, "--calculations-follow-bit-depth") == 0)
11923          pm.calculations_use_input_precision =
11924             pm.assume_16_bit_calculations = 0;
11925 
11926       else if (strcmp(*argv, "--exhaustive") == 0)
11927          pm.test_exhaustive = 1;
11928 
11929       else if (argc > 1 && strcmp(*argv, "--sbitlow") == 0)
11930          --argc, pm.sbitlow = (png_byte)atoi(*++argv), catmore = 1;
11931 
11932       else if (argc > 1 && strcmp(*argv, "--touch") == 0)
11933          --argc, touch = *++argv, catmore = 1;
11934 
11935       else if (argc > 1 && strncmp(*argv, "--max", 5) == 0)
11936       {
11937          --argc;
11938 
11939          if (strcmp(5+*argv, "abs8") == 0)
11940             pm.maxabs8 = atof(*++argv);
11941 
11942          else if (strcmp(5+*argv, "abs16") == 0)
11943             pm.maxabs16 = atof(*++argv);
11944 
11945          else if (strcmp(5+*argv, "calc8") == 0)
11946             pm.maxcalc8 = atof(*++argv);
11947 
11948          else if (strcmp(5+*argv, "calc16") == 0)
11949             pm.maxcalc16 = atof(*++argv);
11950 
11951          else if (strcmp(5+*argv, "out8") == 0)
11952             pm.maxout8 = atof(*++argv);
11953 
11954          else if (strcmp(5+*argv, "out16") == 0)
11955             pm.maxout16 = atof(*++argv);
11956 
11957          else if (strcmp(5+*argv, "pc8") == 0)
11958             pm.maxpc8 = atof(*++argv);
11959 
11960          else if (strcmp(5+*argv, "pc16") == 0)
11961             pm.maxpc16 = atof(*++argv);
11962 
11963          else
11964          {
11965             fprintf(stderr, "pngvalid: %s: unknown 'max' option\n", *argv);
11966             exit(99);
11967          }
11968 
11969          catmore = 1;
11970       }
11971 
11972       else if (strcmp(*argv, "--log8") == 0)
11973          --argc, pm.log8 = atof(*++argv), catmore = 1;
11974 
11975       else if (strcmp(*argv, "--log16") == 0)
11976          --argc, pm.log16 = atof(*++argv), catmore = 1;
11977 
11978 #ifdef PNG_SET_OPTION_SUPPORTED
11979       else if (strncmp(*argv, "--option=", 9) == 0)
11980       {
11981          /* Syntax of the argument is <option>:{on|off} */
11982          const char *arg = 9+*argv;
11983          unsigned char option=0, setting=0;
11984 
11985 #ifdef PNG_ARM_NEON
11986          if (strncmp(arg, "arm-neon:", 9) == 0)
11987             option = PNG_ARM_NEON, arg += 9;
11988 
11989          else
11990 #endif
11991 #ifdef PNG_EXTENSIONS
11992          if (strncmp(arg, "extensions:", 11) == 0)
11993             option = PNG_EXTENSIONS, arg += 11;
11994 
11995          else
11996 #endif
11997 #ifdef PNG_MAXIMUM_INFLATE_WINDOW
11998          if (strncmp(arg, "max-inflate-window:", 19) == 0)
11999             option = PNG_MAXIMUM_INFLATE_WINDOW, arg += 19;
12000 
12001          else
12002 #endif
12003          {
12004             fprintf(stderr, "pngvalid: %s: %s: unknown option\n", *argv, arg);
12005             exit(99);
12006          }
12007 
12008          if (strcmp(arg, "off") == 0)
12009             setting = PNG_OPTION_OFF;
12010 
12011          else if (strcmp(arg, "on") == 0)
12012             setting = PNG_OPTION_ON;
12013 
12014          else
12015          {
12016             fprintf(stderr,
12017                "pngvalid: %s: %s: unknown setting (use 'on' or 'off')\n",
12018                *argv, arg);
12019             exit(99);
12020          }
12021 
12022          pm.this.options[pm.this.noptions].option = option;
12023          pm.this.options[pm.this.noptions++].setting = setting;
12024       }
12025 #endif /* PNG_SET_OPTION_SUPPORTED */
12026 
12027       else
12028       {
12029          fprintf(stderr, "pngvalid: %s: unknown argument\n", *argv);
12030          exit(99);
12031       }
12032 
12033       if (catmore) /* consumed an extra *argv */
12034       {
12035          cp = safecat(command, sizeof command, cp, " ");
12036          cp = safecat(command, sizeof command, cp, *argv);
12037       }
12038    }
12039 
12040    /* If pngvalid is run with no arguments default to a reasonable set of the
12041     * tests.
12042     */
12043    if (pm.test_standard == 0 && pm.test_size == 0 && pm.test_transform == 0 &&
12044       pm.ngamma_tests == 0)
12045    {
12046       /* Make this do all the tests done in the test shell scripts with the same
12047        * parameters, where possible.  The limitation is that all the progressive
12048        * read and interlace stuff has to be done in separate runs, so only the
12049        * basic 'standard' and 'size' tests are done.
12050        */
12051       pm.test_standard = 1;
12052       pm.test_size = 1;
12053       pm.test_transform = 1;
12054       pm.ngamma_tests = 2U;
12055    }
12056 
12057    if (pm.ngamma_tests > 0 &&
12058       pm.test_gamma_threshold == 0 && pm.test_gamma_transform == 0 &&
12059       pm.test_gamma_sbit == 0 && pm.test_gamma_scale16 == 0 &&
12060       pm.test_gamma_background == 0 && pm.test_gamma_alpha_mode == 0)
12061    {
12062       pm.test_gamma_threshold = 1;
12063       pm.test_gamma_transform = 1;
12064       pm.test_gamma_sbit = 1;
12065       pm.test_gamma_scale16 = 1;
12066       pm.test_gamma_background = 1;
12067       pm.test_gamma_alpha_mode = 1;
12068    }
12069 
12070    else if (pm.ngamma_tests == 0)
12071    {
12072       /* Nothing to test so turn everything off: */
12073       pm.test_gamma_threshold = 0;
12074       pm.test_gamma_transform = 0;
12075       pm.test_gamma_sbit = 0;
12076       pm.test_gamma_scale16 = 0;
12077       pm.test_gamma_background = 0;
12078       pm.test_gamma_alpha_mode = 0;
12079    }
12080 
12081    Try
12082    {
12083       /* Make useful base images */
12084       make_transform_images(&pm);
12085 
12086       /* Perform the standard and gamma tests. */
12087       if (pm.test_standard)
12088       {
12089          perform_interlace_macro_validation();
12090          perform_formatting_test(&pm.this);
12091 #        ifdef PNG_READ_SUPPORTED
12092             perform_standard_test(&pm);
12093 #        endif
12094          perform_error_test(&pm);
12095       }
12096 
12097       /* Various oddly sized images: */
12098       if (pm.test_size)
12099       {
12100          make_size_images(&pm.this);
12101 #        ifdef PNG_READ_SUPPORTED
12102             perform_size_test(&pm);
12103 #        endif
12104       }
12105 
12106 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
12107       /* Combinatorial transforms: */
12108       if (pm.test_transform)
12109          perform_transform_test(&pm);
12110 #endif /* PNG_READ_TRANSFORMS_SUPPORTED */
12111 
12112 #ifdef PNG_READ_GAMMA_SUPPORTED
12113       if (pm.ngamma_tests > 0)
12114          perform_gamma_test(&pm, summary);
12115 #endif
12116    }
12117 
12118    Catch_anonymous
12119    {
12120       fprintf(stderr, "pngvalid: test aborted (probably failed in cleanup)\n");
12121       if (!pm.this.verbose)
12122       {
12123          if (pm.this.error[0] != 0)
12124             fprintf(stderr, "pngvalid: first error: %s\n", pm.this.error);
12125 
12126          fprintf(stderr, "pngvalid: run with -v to see what happened\n");
12127       }
12128       exit(1);
12129    }
12130 
12131    if (summary)
12132    {
12133       printf("%s: %s (%s point arithmetic)\n",
12134          (pm.this.nerrors || (pm.this.treat_warnings_as_errors &&
12135             pm.this.nwarnings)) ? "FAIL" : "PASS",
12136          command,
12137 #if defined(PNG_FLOATING_ARITHMETIC_SUPPORTED) || PNG_LIBPNG_VER < 10500
12138          "floating"
12139 #else
12140          "fixed"
12141 #endif
12142          );
12143    }
12144 
12145    if (memstats)
12146    {
12147       printf("Allocated memory statistics (in bytes):\n"
12148          "\tread  %lu maximum single, %lu peak, %lu total\n"
12149          "\twrite %lu maximum single, %lu peak, %lu total\n",
12150          (unsigned long)pm.this.read_memory_pool.max_max,
12151          (unsigned long)pm.this.read_memory_pool.max_limit,
12152          (unsigned long)pm.this.read_memory_pool.max_total,
12153          (unsigned long)pm.this.write_memory_pool.max_max,
12154          (unsigned long)pm.this.write_memory_pool.max_limit,
12155          (unsigned long)pm.this.write_memory_pool.max_total);
12156    }
12157 
12158    /* Do this here to provoke memory corruption errors in memory not directly
12159     * allocated by libpng - not a complete test, but better than nothing.
12160     */
12161    store_delete(&pm.this);
12162 
12163    /* Error exit if there are any errors, and maybe if there are any
12164     * warnings.
12165     */
12166    if (pm.this.nerrors || (pm.this.treat_warnings_as_errors &&
12167        pm.this.nwarnings))
12168    {
12169       if (!pm.this.verbose)
12170          fprintf(stderr, "pngvalid: %s\n", pm.this.error);
12171 
12172       fprintf(stderr, "pngvalid: %d errors, %d warnings\n", pm.this.nerrors,
12173           pm.this.nwarnings);
12174 
12175       exit(1);
12176    }
12177 
12178    /* Success case. */
12179    if (touch != NULL)
12180    {
12181       FILE *fsuccess = fopen(touch, "wt");
12182 
12183       if (fsuccess != NULL)
12184       {
12185          int error = 0;
12186          fprintf(fsuccess, "PNG validation succeeded\n");
12187          fflush(fsuccess);
12188          error = ferror(fsuccess);
12189 
12190          if (fclose(fsuccess) || error)
12191          {
12192             fprintf(stderr, "%s: write failed\n", touch);
12193             exit(1);
12194          }
12195       }
12196 
12197       else
12198       {
12199          fprintf(stderr, "%s: open failed\n", touch);
12200          exit(1);
12201       }
12202    }
12203 
12204    /* This is required because some very minimal configurations do not use it:
12205     */
12206    UNUSED(fail)
12207    return 0;
12208 }
12209 #else /* write or low level APIs not supported */
main(void)12210 int main(void)
12211 {
12212    fprintf(stderr,
12213       "pngvalid: no low level write support in libpng, all tests skipped\n");
12214    /* So the test is skipped: */
12215    return SKIP;
12216 }
12217 #endif
12218