1 
2 /* png.c - location for general purpose libpng functions
3  *
4  * Last changed in libpng 1.2.43 [February 25, 2010]
5  * Copyright (c) 1998-2010 Glenn Randers-Pehrson
6  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  */
13 
14 #define PNG_INTERNAL
15 #define PNG_NO_EXTERN
16 #define PNG_NO_PEDANTIC_WARNINGS
17 #include "png.h"
18 
19 /* Generate a compiler error if there is an old png.h in the search path. */
20 typedef version_1_2_44 Your_png_h_is_not_version_1_2_44;
21 
22 /* Version information for C files.  This had better match the version
23  * string defined in png.h.
24  */
25 
26 #ifdef PNG_USE_GLOBAL_ARRAYS
27 /* png_libpng_ver was changed to a function in version 1.0.5c */
28 PNG_CONST char png_libpng_ver[18] = PNG_LIBPNG_VER_STRING;
29 
30 #ifdef PNG_READ_SUPPORTED
31 
32 /* png_sig was changed to a function in version 1.0.5c */
33 /* Place to hold the signature string for a PNG file. */
34 PNG_CONST png_byte FARDATA png_sig[8] = {137, 80, 78, 71, 13, 10, 26, 10};
35 #endif /* PNG_READ_SUPPORTED */
36 
37 /* Invoke global declarations for constant strings for known chunk types */
38 PNG_IHDR;
39 PNG_IDAT;
40 PNG_IEND;
41 PNG_PLTE;
42 PNG_bKGD;
43 PNG_cHRM;
44 PNG_gAMA;
45 PNG_hIST;
46 PNG_iCCP;
47 PNG_iTXt;
48 PNG_oFFs;
49 PNG_pCAL;
50 PNG_sCAL;
51 PNG_pHYs;
52 PNG_sBIT;
53 PNG_sPLT;
54 PNG_sRGB;
55 PNG_tEXt;
56 PNG_tIME;
57 PNG_tRNS;
58 PNG_zTXt;
59 
60 #ifdef PNG_READ_SUPPORTED
61 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
62 
63 /* Start of interlace block */
64 PNG_CONST int FARDATA png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
65 
66 /* Offset to next interlace block */
67 PNG_CONST int FARDATA png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
68 
69 /* Start of interlace block in the y direction */
70 PNG_CONST int FARDATA png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
71 
72 /* Offset to next interlace block in the y direction */
73 PNG_CONST int FARDATA png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
74 
75 /* Height of interlace block.  This is not currently used - if you need
76  * it, uncomment it here and in png.h
77 PNG_CONST int FARDATA png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
78 */
79 
80 /* Mask to determine which pixels are valid in a pass */
81 PNG_CONST int FARDATA png_pass_mask[] =
82     {0x80, 0x08, 0x88, 0x22, 0xaa, 0x55, 0xff};
83 
84 /* Mask to determine which pixels to overwrite while displaying */
85 PNG_CONST int FARDATA png_pass_dsp_mask[]
86    = {0xff, 0x0f, 0xff, 0x33, 0xff, 0x55, 0xff};
87 
88 #endif /* PNG_READ_SUPPORTED */
89 #endif /* PNG_USE_GLOBAL_ARRAYS */
90 
91 /* Tells libpng that we have already handled the first "num_bytes" bytes
92  * of the PNG file signature.  If the PNG data is embedded into another
93  * stream we can set num_bytes = 8 so that libpng will not attempt to read
94  * or write any of the magic bytes before it starts on the IHDR.
95  */
96 
97 #ifdef PNG_READ_SUPPORTED
98 void PNGAPI
png_set_sig_bytes(png_structp png_ptr,int num_bytes)99 png_set_sig_bytes(png_structp png_ptr, int num_bytes)
100 {
101    png_debug(1, "in png_set_sig_bytes");
102 
103    if (png_ptr == NULL)
104       return;
105 
106    if (num_bytes > 8)
107       png_error(png_ptr, "Too many bytes for PNG signature.");
108 
109    png_ptr->sig_bytes = (png_byte)(num_bytes < 0 ? 0 : num_bytes);
110 }
111 
112 /* Checks whether the supplied bytes match the PNG signature.  We allow
113  * checking less than the full 8-byte signature so that those apps that
114  * already read the first few bytes of a file to determine the file type
115  * can simply check the remaining bytes for extra assurance.  Returns
116  * an integer less than, equal to, or greater than zero if sig is found,
117  * respectively, to be less than, to match, or be greater than the correct
118  * PNG signature (this is the same behaviour as strcmp, memcmp, etc).
119  */
120 int PNGAPI
png_sig_cmp(png_bytep sig,png_size_t start,png_size_t num_to_check)121 png_sig_cmp(png_bytep sig, png_size_t start, png_size_t num_to_check)
122 {
123    png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
124    if (num_to_check > 8)
125       num_to_check = 8;
126    else if (num_to_check < 1)
127       return (-1);
128 
129    if (start > 7)
130       return (-1);
131 
132    if (start + num_to_check > 8)
133       num_to_check = 8 - start;
134 
135    return ((int)(png_memcmp(&sig[start], &png_signature[start], num_to_check)));
136 }
137 
138 #if defined(PNG_1_0_X) || defined(PNG_1_2_X)
139 /* (Obsolete) function to check signature bytes.  It does not allow one
140  * to check a partial signature.  This function might be removed in the
141  * future - use png_sig_cmp().  Returns true (nonzero) if the file is PNG.
142  */
143 int PNGAPI
png_check_sig(png_bytep sig,int num)144 png_check_sig(png_bytep sig, int num)
145 {
146   return ((int)!png_sig_cmp(sig, (png_size_t)0, (png_size_t)num));
147 }
148 #endif
149 #endif /* PNG_READ_SUPPORTED */
150 
151 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
152 /* Function to allocate memory for zlib and clear it to 0. */
153 #ifdef PNG_1_0_X
154 voidpf PNGAPI
155 #else
156 voidpf /* PRIVATE */
157 #endif
png_zalloc(voidpf png_ptr,uInt items,uInt size)158 png_zalloc(voidpf png_ptr, uInt items, uInt size)
159 {
160    png_voidp ptr;
161    png_structp p=(png_structp)png_ptr;
162    png_uint_32 save_flags=p->flags;
163    png_uint_32 num_bytes;
164 
165    if (png_ptr == NULL)
166       return (NULL);
167    if (items > PNG_UINT_32_MAX/size)
168    {
169      png_warning (p, "Potential overflow in png_zalloc()");
170      return (NULL);
171    }
172    num_bytes = (png_uint_32)items * size;
173 
174    p->flags|=PNG_FLAG_MALLOC_NULL_MEM_OK;
175    ptr = (png_voidp)png_malloc((png_structp)png_ptr, num_bytes);
176    p->flags=save_flags;
177 
178 #if defined(PNG_1_0_X) && !defined(PNG_NO_ZALLOC_ZERO)
179    if (ptr == NULL)
180        return ((voidpf)ptr);
181 
182    if (num_bytes > (png_uint_32)0x8000L)
183    {
184       png_memset(ptr, 0, (png_size_t)0x8000L);
185       png_memset((png_bytep)ptr + (png_size_t)0x8000L, 0,
186          (png_size_t)(num_bytes - (png_uint_32)0x8000L));
187    }
188    else
189    {
190       png_memset(ptr, 0, (png_size_t)num_bytes);
191    }
192 #endif
193    return ((voidpf)ptr);
194 }
195 
196 /* Function to free memory for zlib */
197 #ifdef PNG_1_0_X
198 void PNGAPI
199 #else
200 void /* PRIVATE */
201 #endif
png_zfree(voidpf png_ptr,voidpf ptr)202 png_zfree(voidpf png_ptr, voidpf ptr)
203 {
204    png_free((png_structp)png_ptr, (png_voidp)ptr);
205 }
206 
207 /* Reset the CRC variable to 32 bits of 1's.  Care must be taken
208  * in case CRC is > 32 bits to leave the top bits 0.
209  */
210 void /* PRIVATE */
png_reset_crc(png_structp png_ptr)211 png_reset_crc(png_structp png_ptr)
212 {
213    png_ptr->crc = crc32(0, Z_NULL, 0);
214 }
215 
216 /* Calculate the CRC over a section of data.  We can only pass as
217  * much data to this routine as the largest single buffer size.  We
218  * also check that this data will actually be used before going to the
219  * trouble of calculating it.
220  */
221 void /* PRIVATE */
png_calculate_crc(png_structp png_ptr,png_bytep ptr,png_size_t length)222 png_calculate_crc(png_structp png_ptr, png_bytep ptr, png_size_t length)
223 {
224    int need_crc = 1;
225 
226    if (png_ptr->chunk_name[0] & 0x20)                     /* ancillary */
227    {
228       if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
229           (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
230          need_crc = 0;
231    }
232    else                                                    /* critical */
233    {
234       if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE)
235          need_crc = 0;
236    }
237 
238    if (need_crc)
239       png_ptr->crc = crc32(png_ptr->crc, ptr, (uInt)length);
240 }
241 
242 /* Allocate the memory for an info_struct for the application.  We don't
243  * really need the png_ptr, but it could potentially be useful in the
244  * future.  This should be used in favour of malloc(png_sizeof(png_info))
245  * and png_info_init() so that applications that want to use a shared
246  * libpng don't have to be recompiled if png_info changes size.
247  */
248 png_infop PNGAPI
png_create_info_struct(png_structp png_ptr)249 png_create_info_struct(png_structp png_ptr)
250 {
251    png_infop info_ptr;
252 
253    png_debug(1, "in png_create_info_struct");
254 
255    if (png_ptr == NULL)
256       return (NULL);
257 
258 #ifdef PNG_USER_MEM_SUPPORTED
259    info_ptr = (png_infop)png_create_struct_2(PNG_STRUCT_INFO,
260       png_ptr->malloc_fn, png_ptr->mem_ptr);
261 #else
262    info_ptr = (png_infop)png_create_struct(PNG_STRUCT_INFO);
263 #endif
264    if (info_ptr != NULL)
265       png_info_init_3(&info_ptr, png_sizeof(png_info));
266 
267    return (info_ptr);
268 }
269 
270 /* This function frees the memory associated with a single info struct.
271  * Normally, one would use either png_destroy_read_struct() or
272  * png_destroy_write_struct() to free an info struct, but this may be
273  * useful for some applications.
274  */
275 void PNGAPI
png_destroy_info_struct(png_structp png_ptr,png_infopp info_ptr_ptr)276 png_destroy_info_struct(png_structp png_ptr, png_infopp info_ptr_ptr)
277 {
278    png_infop info_ptr = NULL;
279 
280    png_debug(1, "in png_destroy_info_struct");
281 
282    if (png_ptr == NULL)
283       return;
284 
285    if (info_ptr_ptr != NULL)
286       info_ptr = *info_ptr_ptr;
287 
288    if (info_ptr != NULL)
289    {
290       png_info_destroy(png_ptr, info_ptr);
291 
292 #ifdef PNG_USER_MEM_SUPPORTED
293       png_destroy_struct_2((png_voidp)info_ptr, png_ptr->free_fn,
294           png_ptr->mem_ptr);
295 #else
296       png_destroy_struct((png_voidp)info_ptr);
297 #endif
298       *info_ptr_ptr = NULL;
299    }
300 }
301 
302 /* Initialize the info structure.  This is now an internal function (0.89)
303  * and applications using it are urged to use png_create_info_struct()
304  * instead.
305  */
306 #if defined(PNG_1_0_X) || defined(PNG_1_2_X)
307 #undef png_info_init
308 void PNGAPI
png_info_init(png_infop info_ptr)309 png_info_init(png_infop info_ptr)
310 {
311    /* We only come here via pre-1.0.12-compiled applications */
312    png_info_init_3(&info_ptr, 0);
313 }
314 #endif
315 
316 void PNGAPI
png_info_init_3(png_infopp ptr_ptr,png_size_t png_info_struct_size)317 png_info_init_3(png_infopp ptr_ptr, png_size_t png_info_struct_size)
318 {
319    png_infop info_ptr = *ptr_ptr;
320 
321    png_debug(1, "in png_info_init_3");
322 
323    if (info_ptr == NULL)
324       return;
325 
326    if (png_sizeof(png_info) > png_info_struct_size)
327    {
328       png_destroy_struct(info_ptr);
329       info_ptr = (png_infop)png_create_struct(PNG_STRUCT_INFO);
330       *ptr_ptr = info_ptr;
331    }
332 
333    /* Set everything to 0 */
334    png_memset(info_ptr, 0, png_sizeof(png_info));
335 }
336 
337 #ifdef PNG_FREE_ME_SUPPORTED
338 void PNGAPI
png_data_freer(png_structp png_ptr,png_infop info_ptr,int freer,png_uint_32 mask)339 png_data_freer(png_structp png_ptr, png_infop info_ptr,
340    int freer, png_uint_32 mask)
341 {
342    png_debug(1, "in png_data_freer");
343 
344    if (png_ptr == NULL || info_ptr == NULL)
345       return;
346 
347    if (freer == PNG_DESTROY_WILL_FREE_DATA)
348       info_ptr->free_me |= mask;
349    else if (freer == PNG_USER_WILL_FREE_DATA)
350       info_ptr->free_me &= ~mask;
351    else
352       png_warning(png_ptr,
353          "Unknown freer parameter in png_data_freer.");
354 }
355 #endif
356 
357 void PNGAPI
png_free_data(png_structp png_ptr,png_infop info_ptr,png_uint_32 mask,int num)358 png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
359    int num)
360 {
361    png_debug(1, "in png_free_data");
362 
363    if (png_ptr == NULL || info_ptr == NULL)
364       return;
365 
366 #ifdef PNG_TEXT_SUPPORTED
367    /* Free text item num or (if num == -1) all text items */
368 #ifdef PNG_FREE_ME_SUPPORTED
369    if ((mask & PNG_FREE_TEXT) & info_ptr->free_me)
370 #else
371    if (mask & PNG_FREE_TEXT)
372 #endif
373    {
374       if (num != -1)
375       {
376          if (info_ptr->text && info_ptr->text[num].key)
377          {
378             png_free(png_ptr, info_ptr->text[num].key);
379             info_ptr->text[num].key = NULL;
380          }
381       }
382       else
383       {
384          int i;
385          for (i = 0; i < info_ptr->num_text; i++)
386              png_free_data(png_ptr, info_ptr, PNG_FREE_TEXT, i);
387          png_free(png_ptr, info_ptr->text);
388          info_ptr->text = NULL;
389          info_ptr->num_text=0;
390       }
391    }
392 #endif
393 
394 #ifdef PNG_tRNS_SUPPORTED
395    /* Free any tRNS entry */
396 #ifdef PNG_FREE_ME_SUPPORTED
397    if ((mask & PNG_FREE_TRNS) & info_ptr->free_me)
398 #else
399    if ((mask & PNG_FREE_TRNS) && (png_ptr->flags & PNG_FLAG_FREE_TRNS))
400 #endif
401    {
402       png_free(png_ptr, info_ptr->trans);
403       info_ptr->trans = NULL;
404       info_ptr->valid &= ~PNG_INFO_tRNS;
405 #ifndef PNG_FREE_ME_SUPPORTED
406       png_ptr->flags &= ~PNG_FLAG_FREE_TRNS;
407 #endif
408    }
409 #endif
410 
411 #ifdef PNG_sCAL_SUPPORTED
412    /* Free any sCAL entry */
413 #ifdef PNG_FREE_ME_SUPPORTED
414    if ((mask & PNG_FREE_SCAL) & info_ptr->free_me)
415 #else
416    if (mask & PNG_FREE_SCAL)
417 #endif
418    {
419 #if defined(PNG_FIXED_POINT_SUPPORTED) && !defined(PNG_FLOATING_POINT_SUPPORTED)
420       png_free(png_ptr, info_ptr->scal_s_width);
421       png_free(png_ptr, info_ptr->scal_s_height);
422       info_ptr->scal_s_width = NULL;
423       info_ptr->scal_s_height = NULL;
424 #endif
425       info_ptr->valid &= ~PNG_INFO_sCAL;
426    }
427 #endif
428 
429 #ifdef PNG_pCAL_SUPPORTED
430    /* Free any pCAL entry */
431 #ifdef PNG_FREE_ME_SUPPORTED
432    if ((mask & PNG_FREE_PCAL) & info_ptr->free_me)
433 #else
434    if (mask & PNG_FREE_PCAL)
435 #endif
436    {
437       png_free(png_ptr, info_ptr->pcal_purpose);
438       png_free(png_ptr, info_ptr->pcal_units);
439       info_ptr->pcal_purpose = NULL;
440       info_ptr->pcal_units = NULL;
441       if (info_ptr->pcal_params != NULL)
442          {
443             int i;
444             for (i = 0; i < (int)info_ptr->pcal_nparams; i++)
445             {
446                png_free(png_ptr, info_ptr->pcal_params[i]);
447                info_ptr->pcal_params[i] = NULL;
448             }
449             png_free(png_ptr, info_ptr->pcal_params);
450             info_ptr->pcal_params = NULL;
451          }
452       info_ptr->valid &= ~PNG_INFO_pCAL;
453    }
454 #endif
455 
456 #ifdef PNG_iCCP_SUPPORTED
457    /* Free any iCCP entry */
458 #ifdef PNG_FREE_ME_SUPPORTED
459    if ((mask & PNG_FREE_ICCP) & info_ptr->free_me)
460 #else
461    if (mask & PNG_FREE_ICCP)
462 #endif
463    {
464       png_free(png_ptr, info_ptr->iccp_name);
465       png_free(png_ptr, info_ptr->iccp_profile);
466       info_ptr->iccp_name = NULL;
467       info_ptr->iccp_profile = NULL;
468       info_ptr->valid &= ~PNG_INFO_iCCP;
469    }
470 #endif
471 
472 #ifdef PNG_sPLT_SUPPORTED
473    /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
474 #ifdef PNG_FREE_ME_SUPPORTED
475    if ((mask & PNG_FREE_SPLT) & info_ptr->free_me)
476 #else
477    if (mask & PNG_FREE_SPLT)
478 #endif
479    {
480       if (num != -1)
481       {
482          if (info_ptr->splt_palettes)
483          {
484             png_free(png_ptr, info_ptr->splt_palettes[num].name);
485             png_free(png_ptr, info_ptr->splt_palettes[num].entries);
486             info_ptr->splt_palettes[num].name = NULL;
487             info_ptr->splt_palettes[num].entries = NULL;
488          }
489       }
490       else
491       {
492          if (info_ptr->splt_palettes_num)
493          {
494             int i;
495             for (i = 0; i < (int)info_ptr->splt_palettes_num; i++)
496                png_free_data(png_ptr, info_ptr, PNG_FREE_SPLT, i);
497 
498             png_free(png_ptr, info_ptr->splt_palettes);
499             info_ptr->splt_palettes = NULL;
500             info_ptr->splt_palettes_num = 0;
501          }
502          info_ptr->valid &= ~PNG_INFO_sPLT;
503       }
504    }
505 #endif
506 
507 #ifdef PNG_UNKNOWN_CHUNKS_SUPPORTED
508    if (png_ptr->unknown_chunk.data)
509    {
510       png_free(png_ptr, png_ptr->unknown_chunk.data);
511       png_ptr->unknown_chunk.data = NULL;
512    }
513 
514 #ifdef PNG_FREE_ME_SUPPORTED
515    if ((mask & PNG_FREE_UNKN) & info_ptr->free_me)
516 #else
517    if (mask & PNG_FREE_UNKN)
518 #endif
519    {
520       if (num != -1)
521       {
522           if (info_ptr->unknown_chunks)
523           {
524              png_free(png_ptr, info_ptr->unknown_chunks[num].data);
525              info_ptr->unknown_chunks[num].data = NULL;
526           }
527       }
528       else
529       {
530          int i;
531 
532          if (info_ptr->unknown_chunks_num)
533          {
534             for (i = 0; i < (int)info_ptr->unknown_chunks_num; i++)
535                png_free_data(png_ptr, info_ptr, PNG_FREE_UNKN, i);
536 
537             png_free(png_ptr, info_ptr->unknown_chunks);
538             info_ptr->unknown_chunks = NULL;
539             info_ptr->unknown_chunks_num = 0;
540          }
541       }
542    }
543 #endif
544 
545 #ifdef PNG_hIST_SUPPORTED
546    /* Free any hIST entry */
547 #ifdef PNG_FREE_ME_SUPPORTED
548    if ((mask & PNG_FREE_HIST)  & info_ptr->free_me)
549 #else
550    if ((mask & PNG_FREE_HIST) && (png_ptr->flags & PNG_FLAG_FREE_HIST))
551 #endif
552    {
553       png_free(png_ptr, info_ptr->hist);
554       info_ptr->hist = NULL;
555       info_ptr->valid &= ~PNG_INFO_hIST;
556 #ifndef PNG_FREE_ME_SUPPORTED
557       png_ptr->flags &= ~PNG_FLAG_FREE_HIST;
558 #endif
559    }
560 #endif
561 
562    /* Free any PLTE entry that was internally allocated */
563 #ifdef PNG_FREE_ME_SUPPORTED
564    if ((mask & PNG_FREE_PLTE) & info_ptr->free_me)
565 #else
566    if ((mask & PNG_FREE_PLTE) && (png_ptr->flags & PNG_FLAG_FREE_PLTE))
567 #endif
568    {
569       png_zfree(png_ptr, info_ptr->palette);
570       info_ptr->palette = NULL;
571       info_ptr->valid &= ~PNG_INFO_PLTE;
572 #ifndef PNG_FREE_ME_SUPPORTED
573       png_ptr->flags &= ~PNG_FLAG_FREE_PLTE;
574 #endif
575       info_ptr->num_palette = 0;
576    }
577 
578 #ifdef PNG_INFO_IMAGE_SUPPORTED
579    /* Free any image bits attached to the info structure */
580 #ifdef PNG_FREE_ME_SUPPORTED
581    if ((mask & PNG_FREE_ROWS) & info_ptr->free_me)
582 #else
583    if (mask & PNG_FREE_ROWS)
584 #endif
585    {
586       if (info_ptr->row_pointers)
587       {
588          int row;
589          for (row = 0; row < (int)info_ptr->height; row++)
590          {
591             png_free(png_ptr, info_ptr->row_pointers[row]);
592             info_ptr->row_pointers[row] = NULL;
593          }
594          png_free(png_ptr, info_ptr->row_pointers);
595          info_ptr->row_pointers = NULL;
596       }
597       info_ptr->valid &= ~PNG_INFO_IDAT;
598    }
599 #endif
600 
601 #ifdef PNG_FREE_ME_SUPPORTED
602    if (num == -1)
603       info_ptr->free_me &= ~mask;
604    else
605       info_ptr->free_me &= ~(mask & ~PNG_FREE_MUL);
606 #endif
607 }
608 
609 /* This is an internal routine to free any memory that the info struct is
610  * pointing to before re-using it or freeing the struct itself.  Recall
611  * that png_free() checks for NULL pointers for us.
612  */
613 void /* PRIVATE */
png_info_destroy(png_structp png_ptr,png_infop info_ptr)614 png_info_destroy(png_structp png_ptr, png_infop info_ptr)
615 {
616    png_debug(1, "in png_info_destroy");
617 
618    png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
619 
620 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
621    if (png_ptr->num_chunk_list)
622    {
623       png_free(png_ptr, png_ptr->chunk_list);
624       png_ptr->chunk_list = NULL;
625       png_ptr->num_chunk_list = 0;
626    }
627 #endif
628 
629    png_info_init_3(&info_ptr, png_sizeof(png_info));
630 }
631 #endif /* defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) */
632 
633 /* This function returns a pointer to the io_ptr associated with the user
634  * functions.  The application should free any memory associated with this
635  * pointer before png_write_destroy() or png_read_destroy() are called.
636  */
637 png_voidp PNGAPI
png_get_io_ptr(png_structp png_ptr)638 png_get_io_ptr(png_structp png_ptr)
639 {
640    if (png_ptr == NULL)
641       return (NULL);
642    return (png_ptr->io_ptr);
643 }
644 
645 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
646 #ifdef PNG_STDIO_SUPPORTED
647 /* Initialize the default input/output functions for the PNG file.  If you
648  * use your own read or write routines, you can call either png_set_read_fn()
649  * or png_set_write_fn() instead of png_init_io().  If you have defined
650  * PNG_NO_STDIO, you must use a function of your own because "FILE *" isn't
651  * necessarily available.
652  */
653 void PNGAPI
png_init_io(png_structp png_ptr,png_FILE_p fp)654 png_init_io(png_structp png_ptr, png_FILE_p fp)
655 {
656    png_debug(1, "in png_init_io");
657 
658    if (png_ptr == NULL)
659       return;
660 
661    png_ptr->io_ptr = (png_voidp)fp;
662 }
663 #endif
664 
665 #ifdef PNG_TIME_RFC1123_SUPPORTED
666 /* Convert the supplied time into an RFC 1123 string suitable for use in
667  * a "Creation Time" or other text-based time string.
668  */
669 png_charp PNGAPI
png_convert_to_rfc1123(png_structp png_ptr,png_timep ptime)670 png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
671 {
672    static PNG_CONST char short_months[12][4] =
673         {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
674          "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
675 
676    if (png_ptr == NULL)
677       return (NULL);
678    if (png_ptr->time_buffer == NULL)
679    {
680       png_ptr->time_buffer = (png_charp)png_malloc(png_ptr, (png_uint_32)(29*
681          png_sizeof(char)));
682    }
683 
684 #ifdef _WIN32_WCE
685    {
686       wchar_t time_buf[29];
687       wsprintf(time_buf, TEXT("%d %S %d %02d:%02d:%02d +0000"),
688           ptime->day % 32, short_months[(ptime->month - 1) % 12],
689         ptime->year, ptime->hour % 24, ptime->minute % 60,
690           ptime->second % 61);
691       WideCharToMultiByte(CP_ACP, 0, time_buf, -1, png_ptr->time_buffer,
692           29, NULL, NULL);
693    }
694 #else
695 #ifdef USE_FAR_KEYWORD
696    {
697       char near_time_buf[29];
698       png_snprintf6(near_time_buf, 29, "%d %s %d %02d:%02d:%02d +0000",
699           ptime->day % 32, short_months[(ptime->month - 1) % 12],
700           ptime->year, ptime->hour % 24, ptime->minute % 60,
701           ptime->second % 61);
702       png_memcpy(png_ptr->time_buffer, near_time_buf,
703           29*png_sizeof(char));
704    }
705 #else
706    png_snprintf6(png_ptr->time_buffer, 29, "%d %s %d %02d:%02d:%02d +0000",
707        ptime->day % 32, short_months[(ptime->month - 1) % 12],
708        ptime->year, ptime->hour % 24, ptime->minute % 60,
709        ptime->second % 61);
710 #endif
711 #endif /* _WIN32_WCE */
712    return ((png_charp)png_ptr->time_buffer);
713 }
714 #endif /* PNG_TIME_RFC1123_SUPPORTED */
715 
716 #endif /* defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) */
717 
718 png_charp PNGAPI
png_get_copyright(png_structp png_ptr)719 png_get_copyright(png_structp png_ptr)
720 {
721    png_ptr = png_ptr;  /* Silence compiler warning about unused png_ptr */
722 #ifdef PNG_STRING_COPYRIGHT
723       return PNG_STRING_COPYRIGHT
724 #else
725 #ifdef __STDC__
726    return ((png_charp) PNG_STRING_NEWLINE \
727      "libpng version 1.2.44 - June 26, 2010" PNG_STRING_NEWLINE \
728      "Copyright (c) 1998-2010 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
729      "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
730      "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
731      PNG_STRING_NEWLINE);
732 #else
733       return ((png_charp) "libpng version 1.2.44 - June 26, 2010\
734       Copyright (c) 1998-2010 Glenn Randers-Pehrson\
735       Copyright (c) 1996-1997 Andreas Dilger\
736       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.");
737 #endif
738 #endif
739 }
740 
741 /* The following return the library version as a short string in the
742  * format 1.0.0 through 99.99.99zz.  To get the version of *.h files
743  * used with your application, print out PNG_LIBPNG_VER_STRING, which
744  * is defined in png.h.
745  * Note: now there is no difference between png_get_libpng_ver() and
746  * png_get_header_ver().  Due to the version_nn_nn_nn typedef guard,
747  * it is guaranteed that png.c uses the correct version of png.h.
748  */
749 png_charp PNGAPI
png_get_libpng_ver(png_structp png_ptr)750 png_get_libpng_ver(png_structp png_ptr)
751 {
752    /* Version of *.c files used when building libpng */
753    png_ptr = png_ptr;  /* Silence compiler warning about unused png_ptr */
754    return ((png_charp) PNG_LIBPNG_VER_STRING);
755 }
756 
757 png_charp PNGAPI
png_get_header_ver(png_structp png_ptr)758 png_get_header_ver(png_structp png_ptr)
759 {
760    /* Version of *.h files used when building libpng */
761    png_ptr = png_ptr;  /* Silence compiler warning about unused png_ptr */
762    return ((png_charp) PNG_LIBPNG_VER_STRING);
763 }
764 
765 png_charp PNGAPI
png_get_header_version(png_structp png_ptr)766 png_get_header_version(png_structp png_ptr)
767 {
768    /* Returns longer string containing both version and date */
769    png_ptr = png_ptr;  /* Silence compiler warning about unused png_ptr */
770 #ifdef __STDC__
771    return ((png_charp) PNG_HEADER_VERSION_STRING
772 #ifndef PNG_READ_SUPPORTED
773    "     (NO READ SUPPORT)"
774 #endif
775    PNG_STRING_NEWLINE);
776 #else
777    return ((png_charp) PNG_HEADER_VERSION_STRING);
778 #endif
779 }
780 
781 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
782 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
783 int PNGAPI
png_handle_as_unknown(png_structp png_ptr,png_bytep chunk_name)784 png_handle_as_unknown(png_structp png_ptr, png_bytep chunk_name)
785 {
786    /* Check chunk_name and return "keep" value if it's on the list, else 0 */
787    int i;
788    png_bytep p;
789    if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list<=0)
790       return 0;
791    p = png_ptr->chunk_list + png_ptr->num_chunk_list*5 - 5;
792    for (i = png_ptr->num_chunk_list; i; i--, p -= 5)
793       if (!png_memcmp(chunk_name, p, 4))
794         return ((int)*(p + 4));
795    return 0;
796 }
797 #endif
798 
799 /* This function, added to libpng-1.0.6g, is untested. */
800 int PNGAPI
png_reset_zstream(png_structp png_ptr)801 png_reset_zstream(png_structp png_ptr)
802 {
803    if (png_ptr == NULL)
804       return Z_STREAM_ERROR;
805    return (inflateReset(&png_ptr->zstream));
806 }
807 #endif /* defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) */
808 
809 /* This function was added to libpng-1.0.7 */
810 png_uint_32 PNGAPI
png_access_version_number(void)811 png_access_version_number(void)
812 {
813    /* Version of *.c files used when building libpng */
814    return((png_uint_32) PNG_LIBPNG_VER);
815 }
816 
817 
818 #if defined(PNG_READ_SUPPORTED) && defined(PNG_ASSEMBLER_CODE_SUPPORTED)
819 #ifndef PNG_1_0_X
820 /* This function was added to libpng 1.2.0 */
821 int PNGAPI
png_mmx_support(void)822 png_mmx_support(void)
823 {
824    /* Obsolete, to be removed from libpng-1.4.0 */
825     return -1;
826 }
827 #endif /* PNG_1_0_X */
828 #endif /* PNG_READ_SUPPORTED && PNG_ASSEMBLER_CODE_SUPPORTED */
829 
830 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
831 #ifdef PNG_SIZE_T
832 /* Added at libpng version 1.2.6 */
833    PNG_EXTERN png_size_t PNGAPI png_convert_size PNGARG((size_t size));
834 png_size_t PNGAPI
png_convert_size(size_t size)835 png_convert_size(size_t size)
836 {
837    if (size > (png_size_t)-1)
838       PNG_ABORT();  /* We haven't got access to png_ptr, so no png_error() */
839    return ((png_size_t)size);
840 }
841 #endif /* PNG_SIZE_T */
842 
843 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
844 #ifdef PNG_cHRM_SUPPORTED
845 #ifdef PNG_CHECK_cHRM_SUPPORTED
846 
847 /*
848  *    Multiply two 32-bit numbers, V1 and V2, using 32-bit
849  *    arithmetic, to produce a 64 bit result in the HI/LO words.
850  *
851  *                  A B
852  *                x C D
853  *               ------
854  *              AD || BD
855  *        AC || CB || 0
856  *
857  *    where A and B are the high and low 16-bit words of V1,
858  *    C and D are the 16-bit words of V2, AD is the product of
859  *    A and D, and X || Y is (X << 16) + Y.
860 */
861 
862 void /* PRIVATE */
png_64bit_product(long v1,long v2,unsigned long * hi_product,unsigned long * lo_product)863 png_64bit_product (long v1, long v2, unsigned long *hi_product,
864    unsigned long *lo_product)
865 {
866    int a, b, c, d;
867    long lo, hi, x, y;
868 
869    a = (v1 >> 16) & 0xffff;
870    b = v1 & 0xffff;
871    c = (v2 >> 16) & 0xffff;
872    d = v2 & 0xffff;
873 
874    lo = b * d;                   /* BD */
875    x = a * d + c * b;            /* AD + CB */
876    y = ((lo >> 16) & 0xffff) + x;
877 
878    lo = (lo & 0xffff) | ((y & 0xffff) << 16);
879    hi = (y >> 16) & 0xffff;
880 
881    hi += a * c;                  /* AC */
882 
883    *hi_product = (unsigned long)hi;
884    *lo_product = (unsigned long)lo;
885 }
886 
887 int /* PRIVATE */
png_check_cHRM_fixed(png_structp png_ptr,png_fixed_point white_x,png_fixed_point white_y,png_fixed_point red_x,png_fixed_point red_y,png_fixed_point green_x,png_fixed_point green_y,png_fixed_point blue_x,png_fixed_point blue_y)888 png_check_cHRM_fixed(png_structp png_ptr,
889    png_fixed_point white_x, png_fixed_point white_y, png_fixed_point red_x,
890    png_fixed_point red_y, png_fixed_point green_x, png_fixed_point green_y,
891    png_fixed_point blue_x, png_fixed_point blue_y)
892 {
893    int ret = 1;
894    unsigned long xy_hi,xy_lo,yx_hi,yx_lo;
895 
896    png_debug(1, "in function png_check_cHRM_fixed");
897 
898    if (png_ptr == NULL)
899       return 0;
900 
901    if (white_x < 0 || white_y <= 0 ||
902          red_x < 0 ||   red_y <  0 ||
903        green_x < 0 || green_y <  0 ||
904         blue_x < 0 ||  blue_y <  0)
905    {
906       png_warning(png_ptr,
907         "Ignoring attempt to set negative chromaticity value");
908       ret = 0;
909    }
910    if (white_x > (png_fixed_point) PNG_UINT_31_MAX ||
911        white_y > (png_fixed_point) PNG_UINT_31_MAX ||
912          red_x > (png_fixed_point) PNG_UINT_31_MAX ||
913          red_y > (png_fixed_point) PNG_UINT_31_MAX ||
914        green_x > (png_fixed_point) PNG_UINT_31_MAX ||
915        green_y > (png_fixed_point) PNG_UINT_31_MAX ||
916         blue_x > (png_fixed_point) PNG_UINT_31_MAX ||
917         blue_y > (png_fixed_point) PNG_UINT_31_MAX )
918    {
919       png_warning(png_ptr,
920         "Ignoring attempt to set chromaticity value exceeding 21474.83");
921       ret = 0;
922    }
923    if (white_x > 100000L - white_y)
924    {
925       png_warning(png_ptr, "Invalid cHRM white point");
926       ret = 0;
927    }
928    if (red_x > 100000L - red_y)
929    {
930       png_warning(png_ptr, "Invalid cHRM red point");
931       ret = 0;
932    }
933    if (green_x > 100000L - green_y)
934    {
935       png_warning(png_ptr, "Invalid cHRM green point");
936       ret = 0;
937    }
938    if (blue_x > 100000L - blue_y)
939    {
940       png_warning(png_ptr, "Invalid cHRM blue point");
941       ret = 0;
942    }
943 
944    png_64bit_product(green_x - red_x, blue_y - red_y, &xy_hi, &xy_lo);
945    png_64bit_product(green_y - red_y, blue_x - red_x, &yx_hi, &yx_lo);
946 
947    if (xy_hi == yx_hi && xy_lo == yx_lo)
948    {
949       png_warning(png_ptr,
950          "Ignoring attempt to set cHRM RGB triangle with zero area");
951       ret = 0;
952    }
953 
954    return ret;
955 }
956 #endif /* PNG_CHECK_cHRM_SUPPORTED */
957 #endif /* PNG_cHRM_SUPPORTED */
958 
959 void /* PRIVATE */
png_check_IHDR(png_structp png_ptr,png_uint_32 width,png_uint_32 height,int bit_depth,int color_type,int interlace_type,int compression_type,int filter_type)960 png_check_IHDR(png_structp png_ptr,
961    png_uint_32 width, png_uint_32 height, int bit_depth,
962    int color_type, int interlace_type, int compression_type,
963    int filter_type)
964 {
965    int error = 0;
966 
967    /* Check for width and height valid values */
968    if (width == 0)
969    {
970       png_warning(png_ptr, "Image width is zero in IHDR");
971       error = 1;
972    }
973 
974    if (height == 0)
975    {
976       png_warning(png_ptr, "Image height is zero in IHDR");
977       error = 1;
978    }
979 
980 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
981    if (width > png_ptr->user_width_max || width > PNG_USER_WIDTH_MAX)
982 #else
983    if (width > PNG_USER_WIDTH_MAX)
984 #endif
985    {
986       png_warning(png_ptr, "Image width exceeds user limit in IHDR");
987       error = 1;
988    }
989 
990 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
991    if (height > png_ptr->user_height_max || height > PNG_USER_HEIGHT_MAX)
992 #else
993    if (height > PNG_USER_HEIGHT_MAX)
994 #endif
995    {
996       png_warning(png_ptr, "Image height exceeds user limit in IHDR");
997       error = 1;
998    }
999 
1000    if (width > PNG_UINT_31_MAX)
1001    {
1002       png_warning(png_ptr, "Invalid image width in IHDR");
1003       error = 1;
1004    }
1005 
1006    if ( height > PNG_UINT_31_MAX)
1007    {
1008       png_warning(png_ptr, "Invalid image height in IHDR");
1009       error = 1;
1010    }
1011 
1012    if ( width > (PNG_UINT_32_MAX
1013                  >> 3)      /* 8-byte RGBA pixels */
1014                  - 64       /* bigrowbuf hack */
1015                  - 1        /* filter byte */
1016                  - 7*8      /* rounding of width to multiple of 8 pixels */
1017                  - 8)       /* extra max_pixel_depth pad */
1018       png_warning(png_ptr, "Width is too large for libpng to process pixels");
1019 
1020    /* Check other values */
1021    if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
1022        bit_depth != 8 && bit_depth != 16)
1023    {
1024       png_warning(png_ptr, "Invalid bit depth in IHDR");
1025       error = 1;
1026    }
1027 
1028    if (color_type < 0 || color_type == 1 ||
1029        color_type == 5 || color_type > 6)
1030    {
1031       png_warning(png_ptr, "Invalid color type in IHDR");
1032       error = 1;
1033    }
1034 
1035    if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
1036        ((color_type == PNG_COLOR_TYPE_RGB ||
1037          color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
1038          color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
1039    {
1040       png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
1041       error = 1;
1042    }
1043 
1044    if (interlace_type >= PNG_INTERLACE_LAST)
1045    {
1046       png_warning(png_ptr, "Unknown interlace method in IHDR");
1047       error = 1;
1048    }
1049 
1050    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
1051    {
1052       png_warning(png_ptr, "Unknown compression method in IHDR");
1053       error = 1;
1054    }
1055 
1056 #ifdef PNG_MNG_FEATURES_SUPPORTED
1057    /* Accept filter_method 64 (intrapixel differencing) only if
1058     * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
1059     * 2. Libpng did not read a PNG signature (this filter_method is only
1060     *    used in PNG datastreams that are embedded in MNG datastreams) and
1061     * 3. The application called png_permit_mng_features with a mask that
1062     *    included PNG_FLAG_MNG_FILTER_64 and
1063     * 4. The filter_method is 64 and
1064     * 5. The color_type is RGB or RGBA
1065     */
1066    if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) &&
1067        png_ptr->mng_features_permitted)
1068       png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
1069 
1070    if (filter_type != PNG_FILTER_TYPE_BASE)
1071    {
1072       if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) &&
1073          (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
1074          ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
1075          (color_type == PNG_COLOR_TYPE_RGB ||
1076          color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
1077       {
1078          png_warning(png_ptr, "Unknown filter method in IHDR");
1079          error = 1;
1080       }
1081 
1082       if (png_ptr->mode & PNG_HAVE_PNG_SIGNATURE)
1083       {
1084          png_warning(png_ptr, "Invalid filter method in IHDR");
1085          error = 1;
1086       }
1087    }
1088 
1089 #else
1090    if (filter_type != PNG_FILTER_TYPE_BASE)
1091    {
1092       png_warning(png_ptr, "Unknown filter method in IHDR");
1093       error = 1;
1094    }
1095 #endif
1096 
1097    if (error == 1)
1098       png_error(png_ptr, "Invalid IHDR data");
1099 }
1100 #endif /* defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) */
1101