1 
2 /* pngset.c - storage of image information into info struct
3  *
4  * Last changed in libpng 1.6.21 [January 15, 2016]
5  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
6  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  *
13  * The functions here are used during reads to store data from the file
14  * into the info struct, and during writes to store application data
15  * into the info struct for writing into the file.  This abstracts the
16  * info struct and allows us to change the structure in the future.
17  */
18 
19 #include "pngpriv.h"
20 
21 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
22 
23 #ifdef PNG_bKGD_SUPPORTED
24 void PNGAPI
png_set_bKGD(png_const_structrp png_ptr,png_inforp info_ptr,png_const_color_16p background)25 png_set_bKGD(png_const_structrp png_ptr, png_inforp info_ptr,
26     png_const_color_16p background)
27 {
28    png_debug1(1, "in %s storage function", "bKGD");
29 
30    if (png_ptr == NULL || info_ptr == NULL || background == NULL)
31       return;
32 
33    info_ptr->background = *background;
34    info_ptr->valid |= PNG_INFO_bKGD;
35 }
36 #endif
37 
38 #ifdef PNG_cHRM_SUPPORTED
39 void PNGFAPI
png_set_cHRM_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point white_x,png_fixed_point white_y,png_fixed_point red_x,png_fixed_point red_y,png_fixed_point green_x,png_fixed_point green_y,png_fixed_point blue_x,png_fixed_point blue_y)40 png_set_cHRM_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
41     png_fixed_point white_x, png_fixed_point white_y, png_fixed_point red_x,
42     png_fixed_point red_y, png_fixed_point green_x, png_fixed_point green_y,
43     png_fixed_point blue_x, png_fixed_point blue_y)
44 {
45    png_xy xy;
46 
47    png_debug1(1, "in %s storage function", "cHRM fixed");
48 
49    if (png_ptr == NULL || info_ptr == NULL)
50       return;
51 
52    xy.redx = red_x;
53    xy.redy = red_y;
54    xy.greenx = green_x;
55    xy.greeny = green_y;
56    xy.bluex = blue_x;
57    xy.bluey = blue_y;
58    xy.whitex = white_x;
59    xy.whitey = white_y;
60 
61    if (png_colorspace_set_chromaticities(png_ptr, &info_ptr->colorspace, &xy,
62        2/* override with app values*/) != 0)
63       info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
64 
65    png_colorspace_sync_info(png_ptr, info_ptr);
66 }
67 
68 void PNGFAPI
png_set_cHRM_XYZ_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point int_red_X,png_fixed_point int_red_Y,png_fixed_point int_red_Z,png_fixed_point int_green_X,png_fixed_point int_green_Y,png_fixed_point int_green_Z,png_fixed_point int_blue_X,png_fixed_point int_blue_Y,png_fixed_point int_blue_Z)69 png_set_cHRM_XYZ_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
70     png_fixed_point int_red_X, png_fixed_point int_red_Y,
71     png_fixed_point int_red_Z, png_fixed_point int_green_X,
72     png_fixed_point int_green_Y, png_fixed_point int_green_Z,
73     png_fixed_point int_blue_X, png_fixed_point int_blue_Y,
74     png_fixed_point int_blue_Z)
75 {
76    png_XYZ XYZ;
77 
78    png_debug1(1, "in %s storage function", "cHRM XYZ fixed");
79 
80    if (png_ptr == NULL || info_ptr == NULL)
81       return;
82 
83    XYZ.red_X = int_red_X;
84    XYZ.red_Y = int_red_Y;
85    XYZ.red_Z = int_red_Z;
86    XYZ.green_X = int_green_X;
87    XYZ.green_Y = int_green_Y;
88    XYZ.green_Z = int_green_Z;
89    XYZ.blue_X = int_blue_X;
90    XYZ.blue_Y = int_blue_Y;
91    XYZ.blue_Z = int_blue_Z;
92 
93    if (png_colorspace_set_endpoints(png_ptr, &info_ptr->colorspace,
94        &XYZ, 2) != 0)
95       info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
96 
97    png_colorspace_sync_info(png_ptr, info_ptr);
98 }
99 
100 #  ifdef PNG_FLOATING_POINT_SUPPORTED
101 void PNGAPI
png_set_cHRM(png_const_structrp png_ptr,png_inforp info_ptr,double white_x,double white_y,double red_x,double red_y,double green_x,double green_y,double blue_x,double blue_y)102 png_set_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
103     double white_x, double white_y, double red_x, double red_y,
104     double green_x, double green_y, double blue_x, double blue_y)
105 {
106    png_set_cHRM_fixed(png_ptr, info_ptr,
107       png_fixed(png_ptr, white_x, "cHRM White X"),
108       png_fixed(png_ptr, white_y, "cHRM White Y"),
109       png_fixed(png_ptr, red_x, "cHRM Red X"),
110       png_fixed(png_ptr, red_y, "cHRM Red Y"),
111       png_fixed(png_ptr, green_x, "cHRM Green X"),
112       png_fixed(png_ptr, green_y, "cHRM Green Y"),
113       png_fixed(png_ptr, blue_x, "cHRM Blue X"),
114       png_fixed(png_ptr, blue_y, "cHRM Blue Y"));
115 }
116 
117 void PNGAPI
png_set_cHRM_XYZ(png_const_structrp png_ptr,png_inforp info_ptr,double red_X,double red_Y,double red_Z,double green_X,double green_Y,double green_Z,double blue_X,double blue_Y,double blue_Z)118 png_set_cHRM_XYZ(png_const_structrp png_ptr, png_inforp info_ptr, double red_X,
119     double red_Y, double red_Z, double green_X, double green_Y, double green_Z,
120     double blue_X, double blue_Y, double blue_Z)
121 {
122    png_set_cHRM_XYZ_fixed(png_ptr, info_ptr,
123       png_fixed(png_ptr, red_X, "cHRM Red X"),
124       png_fixed(png_ptr, red_Y, "cHRM Red Y"),
125       png_fixed(png_ptr, red_Z, "cHRM Red Z"),
126       png_fixed(png_ptr, green_X, "cHRM Green X"),
127       png_fixed(png_ptr, green_Y, "cHRM Green Y"),
128       png_fixed(png_ptr, green_Z, "cHRM Green Z"),
129       png_fixed(png_ptr, blue_X, "cHRM Blue X"),
130       png_fixed(png_ptr, blue_Y, "cHRM Blue Y"),
131       png_fixed(png_ptr, blue_Z, "cHRM Blue Z"));
132 }
133 #  endif /* FLOATING_POINT */
134 
135 #endif /* cHRM */
136 
137 #ifdef PNG_gAMA_SUPPORTED
138 void PNGFAPI
png_set_gAMA_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point file_gamma)139 png_set_gAMA_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
140     png_fixed_point file_gamma)
141 {
142    png_debug1(1, "in %s storage function", "gAMA");
143 
144    if (png_ptr == NULL || info_ptr == NULL)
145       return;
146 
147    png_colorspace_set_gamma(png_ptr, &info_ptr->colorspace, file_gamma);
148    png_colorspace_sync_info(png_ptr, info_ptr);
149 }
150 
151 #  ifdef PNG_FLOATING_POINT_SUPPORTED
152 void PNGAPI
png_set_gAMA(png_const_structrp png_ptr,png_inforp info_ptr,double file_gamma)153 png_set_gAMA(png_const_structrp png_ptr, png_inforp info_ptr, double file_gamma)
154 {
155    png_set_gAMA_fixed(png_ptr, info_ptr, png_fixed(png_ptr, file_gamma,
156        "png_set_gAMA"));
157 }
158 #  endif
159 #endif
160 
161 #ifdef PNG_hIST_SUPPORTED
162 void PNGAPI
png_set_hIST(png_const_structrp png_ptr,png_inforp info_ptr,png_const_uint_16p hist)163 png_set_hIST(png_const_structrp png_ptr, png_inforp info_ptr,
164     png_const_uint_16p hist)
165 {
166    int i;
167 
168    png_debug1(1, "in %s storage function", "hIST");
169 
170    if (png_ptr == NULL || info_ptr == NULL)
171       return;
172 
173    if (info_ptr->num_palette == 0 || info_ptr->num_palette
174        > PNG_MAX_PALETTE_LENGTH)
175    {
176       png_warning(png_ptr,
177           "Invalid palette size, hIST allocation skipped");
178 
179       return;
180    }
181 
182    png_free_data(png_ptr, info_ptr, PNG_FREE_HIST, 0);
183 
184    /* Changed from info->num_palette to PNG_MAX_PALETTE_LENGTH in
185     * version 1.2.1
186     */
187    info_ptr->hist = png_voidcast(png_uint_16p, png_malloc_warn(png_ptr,
188        PNG_MAX_PALETTE_LENGTH * (sizeof (png_uint_16))));
189 
190    if (info_ptr->hist == NULL)
191    {
192       png_warning(png_ptr, "Insufficient memory for hIST chunk data");
193 
194       return;
195    }
196 
197    info_ptr->free_me |= PNG_FREE_HIST;
198 
199    for (i = 0; i < info_ptr->num_palette; i++)
200       info_ptr->hist[i] = hist[i];
201 
202    info_ptr->valid |= PNG_INFO_hIST;
203 }
204 #endif
205 
206 void PNGAPI
png_set_IHDR(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 width,png_uint_32 height,int bit_depth,int color_type,int interlace_type,int compression_type,int filter_type)207 png_set_IHDR(png_const_structrp png_ptr, png_inforp info_ptr,
208     png_uint_32 width, png_uint_32 height, int bit_depth,
209     int color_type, int interlace_type, int compression_type,
210     int filter_type)
211 {
212    png_debug1(1, "in %s storage function", "IHDR");
213 
214    if (png_ptr == NULL || info_ptr == NULL)
215       return;
216 
217    info_ptr->width = width;
218    info_ptr->height = height;
219    info_ptr->bit_depth = (png_byte)bit_depth;
220    info_ptr->color_type = (png_byte)color_type;
221    info_ptr->compression_type = (png_byte)compression_type;
222    info_ptr->filter_type = (png_byte)filter_type;
223    info_ptr->interlace_type = (png_byte)interlace_type;
224 
225    png_check_IHDR (png_ptr, info_ptr->width, info_ptr->height,
226        info_ptr->bit_depth, info_ptr->color_type, info_ptr->interlace_type,
227        info_ptr->compression_type, info_ptr->filter_type);
228 
229    if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
230       info_ptr->channels = 1;
231 
232    else if ((info_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
233       info_ptr->channels = 3;
234 
235    else
236       info_ptr->channels = 1;
237 
238    if ((info_ptr->color_type & PNG_COLOR_MASK_ALPHA) != 0)
239       info_ptr->channels++;
240 
241    info_ptr->pixel_depth = (png_byte)(info_ptr->channels * info_ptr->bit_depth);
242 
243    info_ptr->rowbytes = PNG_ROWBYTES(info_ptr->pixel_depth, width);
244 }
245 
246 #ifdef PNG_oFFs_SUPPORTED
247 void PNGAPI
png_set_oFFs(png_const_structrp png_ptr,png_inforp info_ptr,png_int_32 offset_x,png_int_32 offset_y,int unit_type)248 png_set_oFFs(png_const_structrp png_ptr, png_inforp info_ptr,
249     png_int_32 offset_x, png_int_32 offset_y, int unit_type)
250 {
251    png_debug1(1, "in %s storage function", "oFFs");
252 
253    if (png_ptr == NULL || info_ptr == NULL)
254       return;
255 
256    info_ptr->x_offset = offset_x;
257    info_ptr->y_offset = offset_y;
258    info_ptr->offset_unit_type = (png_byte)unit_type;
259    info_ptr->valid |= PNG_INFO_oFFs;
260 }
261 #endif
262 
263 #ifdef PNG_pCAL_SUPPORTED
264 void PNGAPI
png_set_pCAL(png_const_structrp png_ptr,png_inforp info_ptr,png_const_charp purpose,png_int_32 X0,png_int_32 X1,int type,int nparams,png_const_charp units,png_charpp params)265 png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr,
266     png_const_charp purpose, png_int_32 X0, png_int_32 X1, int type,
267     int nparams, png_const_charp units, png_charpp params)
268 {
269    png_size_t length;
270    int i;
271 
272    png_debug1(1, "in %s storage function", "pCAL");
273 
274    if (png_ptr == NULL || info_ptr == NULL || purpose == NULL || units == NULL
275        || (nparams > 0 && params == NULL))
276       return;
277 
278    length = strlen(purpose) + 1;
279    png_debug1(3, "allocating purpose for info (%lu bytes)",
280        (unsigned long)length);
281 
282    /* TODO: validate format of calibration name and unit name */
283 
284    /* Check that the type matches the specification. */
285    if (type < 0 || type > 3)
286    {
287       png_chunk_report(png_ptr, "Invalid pCAL equation type",
288             PNG_CHUNK_WRITE_ERROR);
289       return;
290    }
291 
292    if (nparams < 0 || nparams > 255)
293    {
294       png_chunk_report(png_ptr, "Invalid pCAL parameter count",
295             PNG_CHUNK_WRITE_ERROR);
296       return;
297    }
298 
299    /* Validate params[nparams] */
300    for (i=0; i<nparams; ++i)
301    {
302       if (params[i] == NULL ||
303           !png_check_fp_string(params[i], strlen(params[i])))
304       {
305          png_chunk_report(png_ptr, "Invalid format for pCAL parameter",
306                PNG_CHUNK_WRITE_ERROR);
307          return;
308       }
309    }
310 
311    info_ptr->pcal_purpose = png_voidcast(png_charp,
312        png_malloc_warn(png_ptr, length));
313 
314    if (info_ptr->pcal_purpose == NULL)
315    {
316       png_chunk_report(png_ptr, "Insufficient memory for pCAL purpose",
317             PNG_CHUNK_WRITE_ERROR);
318       return;
319    }
320 
321    memcpy(info_ptr->pcal_purpose, purpose, length);
322 
323    png_debug(3, "storing X0, X1, type, and nparams in info");
324    info_ptr->pcal_X0 = X0;
325    info_ptr->pcal_X1 = X1;
326    info_ptr->pcal_type = (png_byte)type;
327    info_ptr->pcal_nparams = (png_byte)nparams;
328 
329    length = strlen(units) + 1;
330    png_debug1(3, "allocating units for info (%lu bytes)",
331      (unsigned long)length);
332 
333    info_ptr->pcal_units = png_voidcast(png_charp,
334       png_malloc_warn(png_ptr, length));
335 
336    if (info_ptr->pcal_units == NULL)
337    {
338       png_warning(png_ptr, "Insufficient memory for pCAL units");
339 
340       return;
341    }
342 
343    memcpy(info_ptr->pcal_units, units, length);
344 
345    info_ptr->pcal_params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
346        (png_size_t)((nparams + 1) * (sizeof (png_charp)))));
347 
348    if (info_ptr->pcal_params == NULL)
349    {
350       png_warning(png_ptr, "Insufficient memory for pCAL params");
351 
352       return;
353    }
354 
355    memset(info_ptr->pcal_params, 0, (nparams + 1) * (sizeof (png_charp)));
356 
357    for (i = 0; i < nparams; i++)
358    {
359       length = strlen(params[i]) + 1;
360       png_debug2(3, "allocating parameter %d for info (%lu bytes)", i,
361           (unsigned long)length);
362 
363       info_ptr->pcal_params[i] = (png_charp)png_malloc_warn(png_ptr, length);
364 
365       if (info_ptr->pcal_params[i] == NULL)
366       {
367          png_warning(png_ptr, "Insufficient memory for pCAL parameter");
368 
369          return;
370       }
371 
372       memcpy(info_ptr->pcal_params[i], params[i], length);
373    }
374 
375    info_ptr->valid |= PNG_INFO_pCAL;
376    info_ptr->free_me |= PNG_FREE_PCAL;
377 }
378 #endif
379 
380 #ifdef PNG_sCAL_SUPPORTED
381 void PNGAPI
png_set_sCAL_s(png_const_structrp png_ptr,png_inforp info_ptr,int unit,png_const_charp swidth,png_const_charp sheight)382 png_set_sCAL_s(png_const_structrp png_ptr, png_inforp info_ptr,
383     int unit, png_const_charp swidth, png_const_charp sheight)
384 {
385    png_size_t lengthw = 0, lengthh = 0;
386 
387    png_debug1(1, "in %s storage function", "sCAL");
388 
389    if (png_ptr == NULL || info_ptr == NULL)
390       return;
391 
392    /* Double check the unit (should never get here with an invalid
393     * unit unless this is an API call.)
394     */
395    if (unit != 1 && unit != 2)
396       png_error(png_ptr, "Invalid sCAL unit");
397 
398    if (swidth == NULL || (lengthw = strlen(swidth)) == 0 ||
399        swidth[0] == 45 /* '-' */ || !png_check_fp_string(swidth, lengthw))
400       png_error(png_ptr, "Invalid sCAL width");
401 
402    if (sheight == NULL || (lengthh = strlen(sheight)) == 0 ||
403        sheight[0] == 45 /* '-' */ || !png_check_fp_string(sheight, lengthh))
404       png_error(png_ptr, "Invalid sCAL height");
405 
406    info_ptr->scal_unit = (png_byte)unit;
407 
408    ++lengthw;
409 
410    png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthw);
411 
412    info_ptr->scal_s_width = png_voidcast(png_charp,
413       png_malloc_warn(png_ptr, lengthw));
414 
415    if (info_ptr->scal_s_width == NULL)
416    {
417       png_warning(png_ptr, "Memory allocation failed while processing sCAL");
418 
419       return;
420    }
421 
422    memcpy(info_ptr->scal_s_width, swidth, lengthw);
423 
424    ++lengthh;
425 
426    png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthh);
427 
428    info_ptr->scal_s_height = png_voidcast(png_charp,
429       png_malloc_warn(png_ptr, lengthh));
430 
431    if (info_ptr->scal_s_height == NULL)
432    {
433       png_free (png_ptr, info_ptr->scal_s_width);
434       info_ptr->scal_s_width = NULL;
435 
436       png_warning(png_ptr, "Memory allocation failed while processing sCAL");
437 
438       return;
439    }
440 
441    memcpy(info_ptr->scal_s_height, sheight, lengthh);
442 
443    info_ptr->valid |= PNG_INFO_sCAL;
444    info_ptr->free_me |= PNG_FREE_SCAL;
445 }
446 
447 #  ifdef PNG_FLOATING_POINT_SUPPORTED
448 void PNGAPI
png_set_sCAL(png_const_structrp png_ptr,png_inforp info_ptr,int unit,double width,double height)449 png_set_sCAL(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
450     double width, double height)
451 {
452    png_debug1(1, "in %s storage function", "sCAL");
453 
454    /* Check the arguments. */
455    if (width <= 0)
456       png_warning(png_ptr, "Invalid sCAL width ignored");
457 
458    else if (height <= 0)
459       png_warning(png_ptr, "Invalid sCAL height ignored");
460 
461    else
462    {
463       /* Convert 'width' and 'height' to ASCII. */
464       char swidth[PNG_sCAL_MAX_DIGITS+1];
465       char sheight[PNG_sCAL_MAX_DIGITS+1];
466 
467       png_ascii_from_fp(png_ptr, swidth, (sizeof swidth), width,
468          PNG_sCAL_PRECISION);
469       png_ascii_from_fp(png_ptr, sheight, (sizeof sheight), height,
470          PNG_sCAL_PRECISION);
471 
472       png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
473    }
474 }
475 #  endif
476 
477 #  ifdef PNG_FIXED_POINT_SUPPORTED
478 void PNGAPI
png_set_sCAL_fixed(png_const_structrp png_ptr,png_inforp info_ptr,int unit,png_fixed_point width,png_fixed_point height)479 png_set_sCAL_fixed(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
480     png_fixed_point width, png_fixed_point height)
481 {
482    png_debug1(1, "in %s storage function", "sCAL");
483 
484    /* Check the arguments. */
485    if (width <= 0)
486       png_warning(png_ptr, "Invalid sCAL width ignored");
487 
488    else if (height <= 0)
489       png_warning(png_ptr, "Invalid sCAL height ignored");
490 
491    else
492    {
493       /* Convert 'width' and 'height' to ASCII. */
494       char swidth[PNG_sCAL_MAX_DIGITS+1];
495       char sheight[PNG_sCAL_MAX_DIGITS+1];
496 
497       png_ascii_from_fixed(png_ptr, swidth, (sizeof swidth), width);
498       png_ascii_from_fixed(png_ptr, sheight, (sizeof sheight), height);
499 
500       png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
501    }
502 }
503 #  endif
504 #endif
505 
506 #ifdef PNG_pHYs_SUPPORTED
507 void PNGAPI
png_set_pHYs(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 res_x,png_uint_32 res_y,int unit_type)508 png_set_pHYs(png_const_structrp png_ptr, png_inforp info_ptr,
509     png_uint_32 res_x, png_uint_32 res_y, int unit_type)
510 {
511    png_debug1(1, "in %s storage function", "pHYs");
512 
513    if (png_ptr == NULL || info_ptr == NULL)
514       return;
515 
516    info_ptr->x_pixels_per_unit = res_x;
517    info_ptr->y_pixels_per_unit = res_y;
518    info_ptr->phys_unit_type = (png_byte)unit_type;
519    info_ptr->valid |= PNG_INFO_pHYs;
520 }
521 #endif
522 
523 void PNGAPI
png_set_PLTE(png_structrp png_ptr,png_inforp info_ptr,png_const_colorp palette,int num_palette)524 png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
525     png_const_colorp palette, int num_palette)
526 {
527 
528    png_uint_32 max_palette_length;
529 
530    png_debug1(1, "in %s storage function", "PLTE");
531 
532    if (png_ptr == NULL || info_ptr == NULL)
533       return;
534 
535    max_palette_length = (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
536       (1 << info_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
537 
538    if (num_palette < 0 || num_palette > (int) max_palette_length)
539    {
540       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
541          png_error(png_ptr, "Invalid palette length");
542 
543       else
544       {
545          png_warning(png_ptr, "Invalid palette length");
546 
547          return;
548       }
549    }
550 
551    if ((num_palette > 0 && palette == NULL) ||
552       (num_palette == 0
553 #        ifdef PNG_MNG_FEATURES_SUPPORTED
554             && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0
555 #        endif
556       ))
557    {
558       png_error(png_ptr, "Invalid palette");
559    }
560 
561    /* It may not actually be necessary to set png_ptr->palette here;
562     * we do it for backward compatibility with the way the png_handle_tRNS
563     * function used to do the allocation.
564     *
565     * 1.6.0: the above statement appears to be incorrect; something has to set
566     * the palette inside png_struct on read.
567     */
568    png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
569 
570    /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
571     * of num_palette entries, in case of an invalid PNG file or incorrect
572     * call to png_set_PLTE() with too-large sample values.
573     */
574    png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
575        PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
576 
577    if (num_palette > 0)
578       memcpy(png_ptr->palette, palette, num_palette * (sizeof (png_color)));
579    info_ptr->palette = png_ptr->palette;
580    info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
581 
582    info_ptr->free_me |= PNG_FREE_PLTE;
583 
584    info_ptr->valid |= PNG_INFO_PLTE;
585 }
586 
587 #ifdef PNG_sBIT_SUPPORTED
588 void PNGAPI
png_set_sBIT(png_const_structrp png_ptr,png_inforp info_ptr,png_const_color_8p sig_bit)589 png_set_sBIT(png_const_structrp png_ptr, png_inforp info_ptr,
590     png_const_color_8p sig_bit)
591 {
592    png_debug1(1, "in %s storage function", "sBIT");
593 
594    if (png_ptr == NULL || info_ptr == NULL || sig_bit == NULL)
595       return;
596 
597    info_ptr->sig_bit = *sig_bit;
598    info_ptr->valid |= PNG_INFO_sBIT;
599 }
600 #endif
601 
602 #ifdef PNG_sRGB_SUPPORTED
603 void PNGAPI
png_set_sRGB(png_const_structrp png_ptr,png_inforp info_ptr,int srgb_intent)604 png_set_sRGB(png_const_structrp png_ptr, png_inforp info_ptr, int srgb_intent)
605 {
606    png_debug1(1, "in %s storage function", "sRGB");
607 
608    if (png_ptr == NULL || info_ptr == NULL)
609       return;
610 
611    (void)png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace, srgb_intent);
612    png_colorspace_sync_info(png_ptr, info_ptr);
613 }
614 
615 void PNGAPI
png_set_sRGB_gAMA_and_cHRM(png_const_structrp png_ptr,png_inforp info_ptr,int srgb_intent)616 png_set_sRGB_gAMA_and_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
617     int srgb_intent)
618 {
619    png_debug1(1, "in %s storage function", "sRGB_gAMA_and_cHRM");
620 
621    if (png_ptr == NULL || info_ptr == NULL)
622       return;
623 
624    if (png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace,
625        srgb_intent) != 0)
626    {
627       /* This causes the gAMA and cHRM to be written too */
628       info_ptr->colorspace.flags |=
629          PNG_COLORSPACE_FROM_gAMA|PNG_COLORSPACE_FROM_cHRM;
630    }
631 
632    png_colorspace_sync_info(png_ptr, info_ptr);
633 }
634 #endif /* sRGB */
635 
636 
637 #ifdef PNG_iCCP_SUPPORTED
638 void PNGAPI
png_set_iCCP(png_const_structrp png_ptr,png_inforp info_ptr,png_const_charp name,int compression_type,png_const_bytep profile,png_uint_32 proflen)639 png_set_iCCP(png_const_structrp png_ptr, png_inforp info_ptr,
640     png_const_charp name, int compression_type,
641     png_const_bytep profile, png_uint_32 proflen)
642 {
643    png_charp new_iccp_name;
644    png_bytep new_iccp_profile;
645    png_size_t length;
646 
647    png_debug1(1, "in %s storage function", "iCCP");
648 
649    if (png_ptr == NULL || info_ptr == NULL || name == NULL || profile == NULL)
650       return;
651 
652    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
653       png_app_error(png_ptr, "Invalid iCCP compression method");
654 
655    /* Set the colorspace first because this validates the profile; do not
656     * override previously set app cHRM or gAMA here (because likely as not the
657     * application knows better than libpng what the correct values are.)  Pass
658     * the info_ptr color_type field to png_colorspace_set_ICC because in the
659     * write case it has not yet been stored in png_ptr.
660     */
661    {
662       int result = png_colorspace_set_ICC(png_ptr, &info_ptr->colorspace, name,
663          proflen, profile, info_ptr->color_type);
664 
665       png_colorspace_sync_info(png_ptr, info_ptr);
666 
667       /* Don't do any of the copying if the profile was bad, or inconsistent. */
668       if (result == 0)
669          return;
670 
671       /* But do write the gAMA and cHRM chunks from the profile. */
672       info_ptr->colorspace.flags |=
673          PNG_COLORSPACE_FROM_gAMA|PNG_COLORSPACE_FROM_cHRM;
674    }
675 
676    length = strlen(name)+1;
677    new_iccp_name = png_voidcast(png_charp, png_malloc_warn(png_ptr, length));
678 
679    if (new_iccp_name == NULL)
680    {
681       png_benign_error(png_ptr, "Insufficient memory to process iCCP chunk");
682 
683       return;
684    }
685 
686    memcpy(new_iccp_name, name, length);
687    new_iccp_profile = png_voidcast(png_bytep,
688       png_malloc_warn(png_ptr, proflen));
689 
690    if (new_iccp_profile == NULL)
691    {
692       png_free(png_ptr, new_iccp_name);
693       png_benign_error(png_ptr,
694           "Insufficient memory to process iCCP profile");
695 
696       return;
697    }
698 
699    memcpy(new_iccp_profile, profile, proflen);
700 
701    png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, 0);
702 
703    info_ptr->iccp_proflen = proflen;
704    info_ptr->iccp_name = new_iccp_name;
705    info_ptr->iccp_profile = new_iccp_profile;
706    info_ptr->free_me |= PNG_FREE_ICCP;
707    info_ptr->valid |= PNG_INFO_iCCP;
708 }
709 #endif
710 
711 #ifdef PNG_TEXT_SUPPORTED
712 void PNGAPI
png_set_text(png_const_structrp png_ptr,png_inforp info_ptr,png_const_textp text_ptr,int num_text)713 png_set_text(png_const_structrp png_ptr, png_inforp info_ptr,
714     png_const_textp text_ptr, int num_text)
715 {
716    int ret;
717    ret = png_set_text_2(png_ptr, info_ptr, text_ptr, num_text);
718 
719    if (ret != 0)
720       png_error(png_ptr, "Insufficient memory to store text");
721 }
722 
723 int /* PRIVATE */
png_set_text_2(png_const_structrp png_ptr,png_inforp info_ptr,png_const_textp text_ptr,int num_text)724 png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
725     png_const_textp text_ptr, int num_text)
726 {
727    int i;
728 
729    png_debug1(1, "in %lx storage function", png_ptr == NULL ? 0xabadca11U :
730       (unsigned long)png_ptr->chunk_name);
731 
732    if (png_ptr == NULL || info_ptr == NULL || num_text <= 0 || text_ptr == NULL)
733       return(0);
734 
735    /* Make sure we have enough space in the "text" array in info_struct
736     * to hold all of the incoming text_ptr objects.  This compare can't overflow
737     * because max_text >= num_text (anyway, subtract of two positive integers
738     * can't overflow in any case.)
739     */
740    if (num_text > info_ptr->max_text - info_ptr->num_text)
741    {
742       int old_num_text = info_ptr->num_text;
743       int max_text;
744       png_textp new_text = NULL;
745 
746       /* Calculate an appropriate max_text, checking for overflow. */
747       max_text = old_num_text;
748       if (num_text <= INT_MAX - max_text)
749       {
750          max_text += num_text;
751 
752          /* Round up to a multiple of 8 */
753          if (max_text < INT_MAX-8)
754             max_text = (max_text + 8) & ~0x7;
755 
756          else
757             max_text = INT_MAX;
758 
759          /* Now allocate a new array and copy the old members in; this does all
760           * the overflow checks.
761           */
762          new_text = png_voidcast(png_textp,png_realloc_array(png_ptr,
763             info_ptr->text, old_num_text, max_text-old_num_text,
764             sizeof *new_text));
765       }
766 
767       if (new_text == NULL)
768       {
769          png_chunk_report(png_ptr, "too many text chunks",
770             PNG_CHUNK_WRITE_ERROR);
771 
772          return 1;
773       }
774 
775       png_free(png_ptr, info_ptr->text);
776 
777       info_ptr->text = new_text;
778       info_ptr->free_me |= PNG_FREE_TEXT;
779       info_ptr->max_text = max_text;
780       /* num_text is adjusted below as the entries are copied in */
781 
782       png_debug1(3, "allocated %d entries for info_ptr->text", max_text);
783    }
784 
785    for (i = 0; i < num_text; i++)
786    {
787       size_t text_length, key_len;
788       size_t lang_len, lang_key_len;
789       png_textp textp = &(info_ptr->text[info_ptr->num_text]);
790 
791       if (text_ptr[i].key == NULL)
792           continue;
793 
794       if (text_ptr[i].compression < PNG_TEXT_COMPRESSION_NONE ||
795           text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST)
796       {
797          png_chunk_report(png_ptr, "text compression mode is out of range",
798             PNG_CHUNK_WRITE_ERROR);
799          continue;
800       }
801 
802       key_len = strlen(text_ptr[i].key);
803 
804       if (text_ptr[i].compression <= 0)
805       {
806          lang_len = 0;
807          lang_key_len = 0;
808       }
809 
810       else
811 #  ifdef PNG_iTXt_SUPPORTED
812       {
813          /* Set iTXt data */
814 
815          if (text_ptr[i].lang != NULL)
816             lang_len = strlen(text_ptr[i].lang);
817 
818          else
819             lang_len = 0;
820 
821          if (text_ptr[i].lang_key != NULL)
822             lang_key_len = strlen(text_ptr[i].lang_key);
823 
824          else
825             lang_key_len = 0;
826       }
827 #  else /* iTXt */
828       {
829          png_chunk_report(png_ptr, "iTXt chunk not supported",
830             PNG_CHUNK_WRITE_ERROR);
831          continue;
832       }
833 #  endif
834 
835       if (text_ptr[i].text == NULL || text_ptr[i].text[0] == '\0')
836       {
837          text_length = 0;
838 #  ifdef PNG_iTXt_SUPPORTED
839          if (text_ptr[i].compression > 0)
840             textp->compression = PNG_ITXT_COMPRESSION_NONE;
841 
842          else
843 #  endif
844             textp->compression = PNG_TEXT_COMPRESSION_NONE;
845       }
846 
847       else
848       {
849          text_length = strlen(text_ptr[i].text);
850          textp->compression = text_ptr[i].compression;
851       }
852 
853       textp->key = png_voidcast(png_charp,png_malloc_base(png_ptr,
854           key_len + text_length + lang_len + lang_key_len + 4));
855 
856       if (textp->key == NULL)
857       {
858          png_chunk_report(png_ptr, "text chunk: out of memory",
859                PNG_CHUNK_WRITE_ERROR);
860 
861          return 1;
862       }
863 
864       png_debug2(2, "Allocated %lu bytes at %p in png_set_text",
865           (unsigned long)(png_uint_32)
866           (key_len + lang_len + lang_key_len + text_length + 4),
867           textp->key);
868 
869       memcpy(textp->key, text_ptr[i].key, key_len);
870       *(textp->key + key_len) = '\0';
871 
872       if (text_ptr[i].compression > 0)
873       {
874          textp->lang = textp->key + key_len + 1;
875          memcpy(textp->lang, text_ptr[i].lang, lang_len);
876          *(textp->lang + lang_len) = '\0';
877          textp->lang_key = textp->lang + lang_len + 1;
878          memcpy(textp->lang_key, text_ptr[i].lang_key, lang_key_len);
879          *(textp->lang_key + lang_key_len) = '\0';
880          textp->text = textp->lang_key + lang_key_len + 1;
881       }
882 
883       else
884       {
885          textp->lang=NULL;
886          textp->lang_key=NULL;
887          textp->text = textp->key + key_len + 1;
888       }
889 
890       if (text_length != 0)
891          memcpy(textp->text, text_ptr[i].text, text_length);
892 
893       *(textp->text + text_length) = '\0';
894 
895 #  ifdef PNG_iTXt_SUPPORTED
896       if (textp->compression > 0)
897       {
898          textp->text_length = 0;
899          textp->itxt_length = text_length;
900       }
901 
902       else
903 #  endif
904       {
905          textp->text_length = text_length;
906          textp->itxt_length = 0;
907       }
908 
909       info_ptr->num_text++;
910       png_debug1(3, "transferred text chunk %d", info_ptr->num_text);
911    }
912 
913    return(0);
914 }
915 #endif
916 
917 #ifdef PNG_tIME_SUPPORTED
918 void PNGAPI
png_set_tIME(png_const_structrp png_ptr,png_inforp info_ptr,png_const_timep mod_time)919 png_set_tIME(png_const_structrp png_ptr, png_inforp info_ptr,
920     png_const_timep mod_time)
921 {
922    png_debug1(1, "in %s storage function", "tIME");
923 
924    if (png_ptr == NULL || info_ptr == NULL || mod_time == NULL ||
925        (png_ptr->mode & PNG_WROTE_tIME) != 0)
926       return;
927 
928    if (mod_time->month == 0   || mod_time->month > 12  ||
929        mod_time->day   == 0   || mod_time->day   > 31  ||
930        mod_time->hour  > 23   || mod_time->minute > 59 ||
931        mod_time->second > 60)
932    {
933       png_warning(png_ptr, "Ignoring invalid time value");
934 
935       return;
936    }
937 
938    info_ptr->mod_time = *mod_time;
939    info_ptr->valid |= PNG_INFO_tIME;
940 }
941 #endif
942 
943 #ifdef PNG_tRNS_SUPPORTED
944 void PNGAPI
png_set_tRNS(png_structrp png_ptr,png_inforp info_ptr,png_const_bytep trans_alpha,int num_trans,png_const_color_16p trans_color)945 png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr,
946     png_const_bytep trans_alpha, int num_trans, png_const_color_16p trans_color)
947 {
948    png_debug1(1, "in %s storage function", "tRNS");
949 
950    if (png_ptr == NULL || info_ptr == NULL)
951 
952       return;
953 
954    if (trans_alpha != NULL)
955    {
956        /* It may not actually be necessary to set png_ptr->trans_alpha here;
957         * we do it for backward compatibility with the way the png_handle_tRNS
958         * function used to do the allocation.
959         *
960         * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
961         * relies on png_set_tRNS storing the information in png_struct
962         * (otherwise it won't be there for the code in pngrtran.c).
963         */
964 
965        png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
966 
967        if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
968        {
969          /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
970           info_ptr->trans_alpha = png_voidcast(png_bytep,
971              png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
972 
973           memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
974        }
975        png_ptr->trans_alpha = info_ptr->trans_alpha;
976    }
977 
978    if (trans_color != NULL)
979    {
980 #ifdef PNG_WARNINGS_SUPPORTED
981       if (info_ptr->bit_depth < 16)
982       {
983          int sample_max = (1 << info_ptr->bit_depth) - 1;
984 
985          if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
986              trans_color->gray > sample_max) ||
987              (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
988              (trans_color->red > sample_max ||
989              trans_color->green > sample_max ||
990              trans_color->blue > sample_max)))
991             png_warning(png_ptr,
992                "tRNS chunk has out-of-range samples for bit_depth");
993       }
994 #endif
995 
996       info_ptr->trans_color = *trans_color;
997 
998       if (num_trans == 0)
999          num_trans = 1;
1000    }
1001 
1002    info_ptr->num_trans = (png_uint_16)num_trans;
1003 
1004    if (num_trans != 0)
1005    {
1006       info_ptr->valid |= PNG_INFO_tRNS;
1007       info_ptr->free_me |= PNG_FREE_TRNS;
1008    }
1009 }
1010 #endif
1011 
1012 #ifdef PNG_sPLT_SUPPORTED
1013 void PNGAPI
png_set_sPLT(png_const_structrp png_ptr,png_inforp info_ptr,png_const_sPLT_tp entries,int nentries)1014 png_set_sPLT(png_const_structrp png_ptr,
1015     png_inforp info_ptr, png_const_sPLT_tp entries, int nentries)
1016 /*
1017  *  entries        - array of png_sPLT_t structures
1018  *                   to be added to the list of palettes
1019  *                   in the info structure.
1020  *
1021  *  nentries       - number of palette structures to be
1022  *                   added.
1023  */
1024 {
1025    png_sPLT_tp np;
1026 
1027    if (png_ptr == NULL || info_ptr == NULL || nentries <= 0 || entries == NULL)
1028       return;
1029 
1030    /* Use the internal realloc function, which checks for all the possible
1031     * overflows.  Notice that the parameters are (int) and (size_t)
1032     */
1033    np = png_voidcast(png_sPLT_tp,png_realloc_array(png_ptr,
1034       info_ptr->splt_palettes, info_ptr->splt_palettes_num, nentries,
1035       sizeof *np));
1036 
1037    if (np == NULL)
1038    {
1039       /* Out of memory or too many chunks */
1040       png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR);
1041 
1042       return;
1043    }
1044 
1045    png_free(png_ptr, info_ptr->splt_palettes);
1046    info_ptr->splt_palettes = np;
1047    info_ptr->free_me |= PNG_FREE_SPLT;
1048 
1049    np += info_ptr->splt_palettes_num;
1050 
1051    do
1052    {
1053       png_size_t length;
1054 
1055       /* Skip invalid input entries */
1056       if (entries->name == NULL || entries->entries == NULL)
1057       {
1058          /* png_handle_sPLT doesn't do this, so this is an app error */
1059          png_app_error(png_ptr, "png_set_sPLT: invalid sPLT");
1060          /* Just skip the invalid entry */
1061          continue;
1062       }
1063 
1064       np->depth = entries->depth;
1065 
1066       /* In the event of out-of-memory just return - there's no point keeping
1067        * on trying to add sPLT chunks.
1068        */
1069       length = strlen(entries->name) + 1;
1070       np->name = png_voidcast(png_charp, png_malloc_base(png_ptr, length));
1071 
1072       if (np->name == NULL)
1073          break;
1074 
1075       memcpy(np->name, entries->name, length);
1076 
1077       /* IMPORTANT: we have memory now that won't get freed if something else
1078        * goes wrong; this code must free it.  png_malloc_array produces no
1079        * warnings; use a png_chunk_report (below) if there is an error.
1080        */
1081       np->entries = png_voidcast(png_sPLT_entryp, png_malloc_array(png_ptr,
1082           entries->nentries, sizeof (png_sPLT_entry)));
1083 
1084       if (np->entries == NULL)
1085       {
1086          png_free(png_ptr, np->name);
1087          np->name = NULL;
1088          break;
1089       }
1090 
1091       np->nentries = entries->nentries;
1092       /* This multiply can't overflow because png_malloc_array has already
1093        * checked it when doing the allocation.
1094        */
1095       memcpy(np->entries, entries->entries,
1096          entries->nentries * sizeof (png_sPLT_entry));
1097 
1098       /* Note that 'continue' skips the advance of the out pointer and out
1099        * count, so an invalid entry is not added.
1100        */
1101       info_ptr->valid |= PNG_INFO_sPLT;
1102       ++(info_ptr->splt_palettes_num);
1103       ++np;
1104    }
1105    while (++entries, --nentries);
1106 
1107    if (nentries > 0)
1108       png_chunk_report(png_ptr, "sPLT out of memory", PNG_CHUNK_WRITE_ERROR);
1109 }
1110 #endif /* sPLT */
1111 
1112 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
1113 static png_byte
check_location(png_const_structrp png_ptr,int location)1114 check_location(png_const_structrp png_ptr, int location)
1115 {
1116    location &= (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT);
1117 
1118    /* New in 1.6.0; copy the location and check it.  This is an API
1119     * change; previously the app had to use the
1120     * png_set_unknown_chunk_location API below for each chunk.
1121     */
1122    if (location == 0 && (png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1123    {
1124       /* Write struct, so unknown chunks come from the app */
1125       png_app_warning(png_ptr,
1126          "png_set_unknown_chunks now expects a valid location");
1127       /* Use the old behavior */
1128       location = (png_byte)(png_ptr->mode &
1129          (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT));
1130    }
1131 
1132    /* This need not be an internal error - if the app calls
1133     * png_set_unknown_chunks on a read pointer it must get the location right.
1134     */
1135    if (location == 0)
1136       png_error(png_ptr, "invalid location in png_set_unknown_chunks");
1137 
1138    /* Now reduce the location to the top-most set bit by removing each least
1139     * significant bit in turn.
1140     */
1141    while (location != (location & -location))
1142       location &= ~(location & -location);
1143 
1144    /* The cast is safe because 'location' is a bit mask and only the low four
1145     * bits are significant.
1146     */
1147    return (png_byte)location;
1148 }
1149 
1150 void PNGAPI
png_set_unknown_chunks(png_const_structrp png_ptr,png_inforp info_ptr,png_const_unknown_chunkp unknowns,int num_unknowns)1151 png_set_unknown_chunks(png_const_structrp png_ptr,
1152    png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns)
1153 {
1154    png_unknown_chunkp np;
1155 
1156    if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0 ||
1157        unknowns == NULL)
1158       return;
1159 
1160    /* Check for the failure cases where support has been disabled at compile
1161     * time.  This code is hardly ever compiled - it's here because
1162     * STORE_UNKNOWN_CHUNKS is set by both read and write code (compiling in this
1163     * code) but may be meaningless if the read or write handling of unknown
1164     * chunks is not compiled in.
1165     */
1166 #  if !defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) && \
1167       defined(PNG_READ_SUPPORTED)
1168       if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1169       {
1170          png_app_error(png_ptr, "no unknown chunk support on read");
1171 
1172          return;
1173       }
1174 #  endif
1175 #  if !defined(PNG_WRITE_UNKNOWN_CHUNKS_SUPPORTED) && \
1176       defined(PNG_WRITE_SUPPORTED)
1177       if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1178       {
1179          png_app_error(png_ptr, "no unknown chunk support on write");
1180 
1181          return;
1182       }
1183 #  endif
1184 
1185    /* Prior to 1.6.0 this code used png_malloc_warn; however, this meant that
1186     * unknown critical chunks could be lost with just a warning resulting in
1187     * undefined behavior.  Now png_chunk_report is used to provide behavior
1188     * appropriate to read or write.
1189     */
1190    np = png_voidcast(png_unknown_chunkp, png_realloc_array(png_ptr,
1191          info_ptr->unknown_chunks, info_ptr->unknown_chunks_num, num_unknowns,
1192          sizeof *np));
1193 
1194    if (np == NULL)
1195    {
1196       png_chunk_report(png_ptr, "too many unknown chunks",
1197          PNG_CHUNK_WRITE_ERROR);
1198 
1199       return;
1200    }
1201 
1202    png_free(png_ptr, info_ptr->unknown_chunks);
1203    info_ptr->unknown_chunks = np; /* safe because it is initialized */
1204    info_ptr->free_me |= PNG_FREE_UNKN;
1205 
1206    np += info_ptr->unknown_chunks_num;
1207 
1208    /* Increment unknown_chunks_num each time round the loop to protect the
1209     * just-allocated chunk data.
1210     */
1211    for (; num_unknowns > 0; --num_unknowns, ++unknowns)
1212    {
1213       memcpy(np->name, unknowns->name, (sizeof np->name));
1214       np->name[(sizeof np->name)-1] = '\0';
1215       np->location = check_location(png_ptr, unknowns->location);
1216 
1217       if (unknowns->size == 0)
1218       {
1219          np->data = NULL;
1220          np->size = 0;
1221       }
1222 
1223       else
1224       {
1225          np->data = png_voidcast(png_bytep,
1226             png_malloc_base(png_ptr, unknowns->size));
1227 
1228          if (np->data == NULL)
1229          {
1230             png_chunk_report(png_ptr, "unknown chunk: out of memory",
1231                PNG_CHUNK_WRITE_ERROR);
1232             /* But just skip storing the unknown chunk */
1233             continue;
1234          }
1235 
1236          memcpy(np->data, unknowns->data, unknowns->size);
1237          np->size = unknowns->size;
1238       }
1239 
1240       /* These increments are skipped on out-of-memory for the data - the
1241        * unknown chunk entry gets overwritten if the png_chunk_report returns.
1242        * This is correct in the read case (the chunk is just dropped.)
1243        */
1244       ++np;
1245       ++(info_ptr->unknown_chunks_num);
1246    }
1247 }
1248 
1249 void PNGAPI
png_set_unknown_chunk_location(png_const_structrp png_ptr,png_inforp info_ptr,int chunk,int location)1250 png_set_unknown_chunk_location(png_const_structrp png_ptr, png_inforp info_ptr,
1251     int chunk, int location)
1252 {
1253    /* This API is pretty pointless in 1.6.0 because the location can be set
1254     * before the call to png_set_unknown_chunks.
1255     *
1256     * TODO: add a png_app_warning in 1.7
1257     */
1258    if (png_ptr != NULL && info_ptr != NULL && chunk >= 0 &&
1259       chunk < info_ptr->unknown_chunks_num)
1260    {
1261       if ((location & (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT)) == 0)
1262       {
1263          png_app_error(png_ptr, "invalid unknown chunk location");
1264          /* Fake out the pre 1.6.0 behavior: */
1265          if ((location & PNG_HAVE_IDAT) != 0) /* undocumented! */
1266             location = PNG_AFTER_IDAT;
1267 
1268          else
1269             location = PNG_HAVE_IHDR; /* also undocumented */
1270       }
1271 
1272       info_ptr->unknown_chunks[chunk].location =
1273          check_location(png_ptr, location);
1274    }
1275 }
1276 #endif /* STORE_UNKNOWN_CHUNKS */
1277 
1278 #ifdef PNG_MNG_FEATURES_SUPPORTED
1279 png_uint_32 PNGAPI
png_permit_mng_features(png_structrp png_ptr,png_uint_32 mng_features)1280 png_permit_mng_features (png_structrp png_ptr, png_uint_32 mng_features)
1281 {
1282    png_debug(1, "in png_permit_mng_features");
1283 
1284    if (png_ptr == NULL)
1285       return 0;
1286 
1287    png_ptr->mng_features_permitted = mng_features & PNG_ALL_MNG_FEATURES;
1288 
1289    return png_ptr->mng_features_permitted;
1290 }
1291 #endif
1292 
1293 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
1294 static unsigned int
add_one_chunk(png_bytep list,unsigned int count,png_const_bytep add,int keep)1295 add_one_chunk(png_bytep list, unsigned int count, png_const_bytep add, int keep)
1296 {
1297    unsigned int i;
1298 
1299    /* Utility function: update the 'keep' state of a chunk if it is already in
1300     * the list, otherwise add it to the list.
1301     */
1302    for (i=0; i<count; ++i, list += 5)
1303    {
1304       if (memcmp(list, add, 4) == 0)
1305       {
1306          list[4] = (png_byte)keep;
1307 
1308          return count;
1309       }
1310    }
1311 
1312    if (keep != PNG_HANDLE_CHUNK_AS_DEFAULT)
1313    {
1314       ++count;
1315       memcpy(list, add, 4);
1316       list[4] = (png_byte)keep;
1317    }
1318 
1319    return count;
1320 }
1321 
1322 void PNGAPI
png_set_keep_unknown_chunks(png_structrp png_ptr,int keep,png_const_bytep chunk_list,int num_chunks_in)1323 png_set_keep_unknown_chunks(png_structrp png_ptr, int keep,
1324     png_const_bytep chunk_list, int num_chunks_in)
1325 {
1326    png_bytep new_list;
1327    unsigned int num_chunks, old_num_chunks;
1328 
1329    if (png_ptr == NULL)
1330       return;
1331 
1332    if (keep < 0 || keep >= PNG_HANDLE_CHUNK_LAST)
1333    {
1334       png_app_error(png_ptr, "png_set_keep_unknown_chunks: invalid keep");
1335 
1336       return;
1337    }
1338 
1339    if (num_chunks_in <= 0)
1340    {
1341       png_ptr->unknown_default = keep;
1342 
1343       /* '0' means just set the flags, so stop here */
1344       if (num_chunks_in == 0)
1345         return;
1346    }
1347 
1348    if (num_chunks_in < 0)
1349    {
1350       /* Ignore all unknown chunks and all chunks recognized by
1351        * libpng except for IHDR, PLTE, tRNS, IDAT, and IEND
1352        */
1353       static PNG_CONST png_byte chunks_to_ignore[] = {
1354          98,  75,  71,  68, '\0',  /* bKGD */
1355          99,  72,  82,  77, '\0',  /* cHRM */
1356         103,  65,  77,  65, '\0',  /* gAMA */
1357         104,  73,  83,  84, '\0',  /* hIST */
1358         105,  67,  67,  80, '\0',  /* iCCP */
1359         105,  84,  88, 116, '\0',  /* iTXt */
1360         111,  70,  70, 115, '\0',  /* oFFs */
1361         112,  67,  65,  76, '\0',  /* pCAL */
1362         112,  72,  89, 115, '\0',  /* pHYs */
1363         115,  66,  73,  84, '\0',  /* sBIT */
1364         115,  67,  65,  76, '\0',  /* sCAL */
1365         115,  80,  76,  84, '\0',  /* sPLT */
1366         115,  84,  69,  82, '\0',  /* sTER */
1367         115,  82,  71,  66, '\0',  /* sRGB */
1368         116,  69,  88, 116, '\0',  /* tEXt */
1369         116,  73,  77,  69, '\0',  /* tIME */
1370         122,  84,  88, 116, '\0'   /* zTXt */
1371       };
1372 
1373       chunk_list = chunks_to_ignore;
1374       num_chunks = (unsigned int)/*SAFE*/(sizeof chunks_to_ignore)/5U;
1375    }
1376 
1377    else /* num_chunks_in > 0 */
1378    {
1379       if (chunk_list == NULL)
1380       {
1381          /* Prior to 1.6.0 this was silently ignored, now it is an app_error
1382           * which can be switched off.
1383           */
1384          png_app_error(png_ptr, "png_set_keep_unknown_chunks: no chunk list");
1385 
1386          return;
1387       }
1388 
1389       num_chunks = num_chunks_in;
1390    }
1391 
1392    old_num_chunks = png_ptr->num_chunk_list;
1393    if (png_ptr->chunk_list == NULL)
1394       old_num_chunks = 0;
1395 
1396    /* Since num_chunks is always restricted to UINT_MAX/5 this can't overflow.
1397     */
1398    if (num_chunks + old_num_chunks > UINT_MAX/5)
1399    {
1400       png_app_error(png_ptr, "png_set_keep_unknown_chunks: too many chunks");
1401 
1402       return;
1403    }
1404 
1405    /* If these chunks are being reset to the default then no more memory is
1406     * required because add_one_chunk above doesn't extend the list if the 'keep'
1407     * parameter is the default.
1408     */
1409    if (keep != 0)
1410    {
1411       new_list = png_voidcast(png_bytep, png_malloc(png_ptr,
1412           5 * (num_chunks + old_num_chunks)));
1413 
1414       if (old_num_chunks > 0)
1415          memcpy(new_list, png_ptr->chunk_list, 5*old_num_chunks);
1416    }
1417 
1418    else if (old_num_chunks > 0)
1419       new_list = png_ptr->chunk_list;
1420 
1421    else
1422       new_list = NULL;
1423 
1424    /* Add the new chunks together with each one's handling code.  If the chunk
1425     * already exists the code is updated, otherwise the chunk is added to the
1426     * end.  (In libpng 1.6.0 order no longer matters because this code enforces
1427     * the earlier convention that the last setting is the one that is used.)
1428     */
1429    if (new_list != NULL)
1430    {
1431       png_const_bytep inlist;
1432       png_bytep outlist;
1433       unsigned int i;
1434 
1435       for (i=0; i<num_chunks; ++i)
1436       {
1437          old_num_chunks = add_one_chunk(new_list, old_num_chunks,
1438             chunk_list+5*i, keep);
1439       }
1440 
1441       /* Now remove any spurious 'default' entries. */
1442       num_chunks = 0;
1443       for (i=0, inlist=outlist=new_list; i<old_num_chunks; ++i, inlist += 5)
1444       {
1445          if (inlist[4])
1446          {
1447             if (outlist != inlist)
1448                memcpy(outlist, inlist, 5);
1449             outlist += 5;
1450             ++num_chunks;
1451          }
1452       }
1453 
1454       /* This means the application has removed all the specialized handling. */
1455       if (num_chunks == 0)
1456       {
1457          if (png_ptr->chunk_list != new_list)
1458             png_free(png_ptr, new_list);
1459 
1460          new_list = NULL;
1461       }
1462    }
1463 
1464    else
1465       num_chunks = 0;
1466 
1467    png_ptr->num_chunk_list = num_chunks;
1468 
1469    if (png_ptr->chunk_list != new_list)
1470    {
1471       if (png_ptr->chunk_list != NULL)
1472          png_free(png_ptr, png_ptr->chunk_list);
1473 
1474       png_ptr->chunk_list = new_list;
1475    }
1476 }
1477 #endif
1478 
1479 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
1480 void PNGAPI
png_set_read_user_chunk_fn(png_structrp png_ptr,png_voidp user_chunk_ptr,png_user_chunk_ptr read_user_chunk_fn)1481 png_set_read_user_chunk_fn(png_structrp png_ptr, png_voidp user_chunk_ptr,
1482     png_user_chunk_ptr read_user_chunk_fn)
1483 {
1484    png_debug(1, "in png_set_read_user_chunk_fn");
1485 
1486    if (png_ptr == NULL)
1487       return;
1488 
1489    png_ptr->read_user_chunk_fn = read_user_chunk_fn;
1490    png_ptr->user_chunk_ptr = user_chunk_ptr;
1491 }
1492 #endif
1493 
1494 #ifdef PNG_INFO_IMAGE_SUPPORTED
1495 void PNGAPI
png_set_rows(png_const_structrp png_ptr,png_inforp info_ptr,png_bytepp row_pointers)1496 png_set_rows(png_const_structrp png_ptr, png_inforp info_ptr,
1497     png_bytepp row_pointers)
1498 {
1499    png_debug1(1, "in %s storage function", "rows");
1500 
1501    if (png_ptr == NULL || info_ptr == NULL)
1502       return;
1503 
1504    if (info_ptr->row_pointers != NULL &&
1505        (info_ptr->row_pointers != row_pointers))
1506       png_free_data(png_ptr, info_ptr, PNG_FREE_ROWS, 0);
1507 
1508    info_ptr->row_pointers = row_pointers;
1509 
1510    if (row_pointers != NULL)
1511       info_ptr->valid |= PNG_INFO_IDAT;
1512 }
1513 #endif
1514 
1515 void PNGAPI
png_set_compression_buffer_size(png_structrp png_ptr,png_size_t size)1516 png_set_compression_buffer_size(png_structrp png_ptr, png_size_t size)
1517 {
1518     if (png_ptr == NULL)
1519        return;
1520 
1521     if (size == 0 || size > PNG_UINT_31_MAX)
1522        png_error(png_ptr, "invalid compression buffer size");
1523 
1524 #  ifdef PNG_SEQUENTIAL_READ_SUPPORTED
1525       if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1526       {
1527          png_ptr->IDAT_read_size = (png_uint_32)size; /* checked above */
1528          return;
1529       }
1530 #  endif
1531 
1532 #  ifdef PNG_WRITE_SUPPORTED
1533       if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1534       {
1535          if (png_ptr->zowner != 0)
1536          {
1537             png_warning(png_ptr,
1538               "Compression buffer size cannot be changed because it is in use");
1539 
1540             return;
1541          }
1542 
1543 #ifndef __COVERITY__
1544          /* Some compilers complain that this is always false.  However, it
1545           * can be true when integer overflow happens.
1546           */
1547          if (size > ZLIB_IO_MAX)
1548          {
1549             png_warning(png_ptr,
1550                "Compression buffer size limited to system maximum");
1551             size = ZLIB_IO_MAX; /* must fit */
1552          }
1553 #endif
1554 
1555          if (size < 6)
1556          {
1557             /* Deflate will potentially go into an infinite loop on a SYNC_FLUSH
1558              * if this is permitted.
1559              */
1560             png_warning(png_ptr,
1561                "Compression buffer size cannot be reduced below 6");
1562 
1563             return;
1564          }
1565 
1566          if (png_ptr->zbuffer_size != size)
1567          {
1568             png_free_buffer_list(png_ptr, &png_ptr->zbuffer_list);
1569             png_ptr->zbuffer_size = (uInt)size;
1570          }
1571       }
1572 #  endif
1573 }
1574 
1575 void PNGAPI
png_set_invalid(png_const_structrp png_ptr,png_inforp info_ptr,int mask)1576 png_set_invalid(png_const_structrp png_ptr, png_inforp info_ptr, int mask)
1577 {
1578    if (png_ptr != NULL && info_ptr != NULL)
1579       info_ptr->valid &= ~mask;
1580 }
1581 
1582 
1583 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
1584 /* This function was added to libpng 1.2.6 */
1585 void PNGAPI
png_set_user_limits(png_structrp png_ptr,png_uint_32 user_width_max,png_uint_32 user_height_max)1586 png_set_user_limits (png_structrp png_ptr, png_uint_32 user_width_max,
1587     png_uint_32 user_height_max)
1588 {
1589    /* Images with dimensions larger than these limits will be
1590     * rejected by png_set_IHDR().  To accept any PNG datastream
1591     * regardless of dimensions, set both limits to 0x7fffffff.
1592     */
1593    if (png_ptr == NULL)
1594       return;
1595 
1596    png_ptr->user_width_max = user_width_max;
1597    png_ptr->user_height_max = user_height_max;
1598 }
1599 
1600 /* This function was added to libpng 1.4.0 */
1601 void PNGAPI
png_set_chunk_cache_max(png_structrp png_ptr,png_uint_32 user_chunk_cache_max)1602 png_set_chunk_cache_max (png_structrp png_ptr, png_uint_32 user_chunk_cache_max)
1603 {
1604    if (png_ptr != NULL)
1605       png_ptr->user_chunk_cache_max = user_chunk_cache_max;
1606 }
1607 
1608 /* This function was added to libpng 1.4.1 */
1609 void PNGAPI
png_set_chunk_malloc_max(png_structrp png_ptr,png_alloc_size_t user_chunk_malloc_max)1610 png_set_chunk_malloc_max (png_structrp png_ptr,
1611     png_alloc_size_t user_chunk_malloc_max)
1612 {
1613    if (png_ptr != NULL)
1614       png_ptr->user_chunk_malloc_max = user_chunk_malloc_max;
1615 }
1616 #endif /* ?SET_USER_LIMITS */
1617 
1618 
1619 #ifdef PNG_BENIGN_ERRORS_SUPPORTED
1620 void PNGAPI
png_set_benign_errors(png_structrp png_ptr,int allowed)1621 png_set_benign_errors(png_structrp png_ptr, int allowed)
1622 {
1623    png_debug(1, "in png_set_benign_errors");
1624 
1625    /* If allowed is 1, png_benign_error() is treated as a warning.
1626     *
1627     * If allowed is 0, png_benign_error() is treated as an error (which
1628     * is the default behavior if png_set_benign_errors() is not called).
1629     */
1630 
1631    if (allowed != 0)
1632       png_ptr->flags |= PNG_FLAG_BENIGN_ERRORS_WARN |
1633          PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN;
1634 
1635    else
1636       png_ptr->flags &= ~(PNG_FLAG_BENIGN_ERRORS_WARN |
1637          PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN);
1638 }
1639 #endif /* BENIGN_ERRORS */
1640 
1641 #ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED
1642    /* Whether to report invalid palette index; added at libng-1.5.10.
1643     * It is possible for an indexed (color-type==3) PNG file to contain
1644     * pixels with invalid (out-of-range) indexes if the PLTE chunk has
1645     * fewer entries than the image's bit-depth would allow. We recover
1646     * from this gracefully by filling any incomplete palette with zeros
1647     * (opaque black).  By default, when this occurs libpng will issue
1648     * a benign error.  This API can be used to override that behavior.
1649     */
1650 void PNGAPI
png_set_check_for_invalid_index(png_structrp png_ptr,int allowed)1651 png_set_check_for_invalid_index(png_structrp png_ptr, int allowed)
1652 {
1653    png_debug(1, "in png_set_check_for_invalid_index");
1654 
1655    if (allowed > 0)
1656       png_ptr->num_palette_max = 0;
1657 
1658    else
1659       png_ptr->num_palette_max = -1;
1660 }
1661 #endif
1662 
1663 #if defined(PNG_TEXT_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) || \
1664     defined(PNG_iCCP_SUPPORTED) || defined(PNG_sPLT_SUPPORTED)
1665 /* Check that the tEXt or zTXt keyword is valid per PNG 1.0 specification,
1666  * and if invalid, correct the keyword rather than discarding the entire
1667  * chunk.  The PNG 1.0 specification requires keywords 1-79 characters in
1668  * length, forbids leading or trailing whitespace, multiple internal spaces,
1669  * and the non-break space (0x80) from ISO 8859-1.  Returns keyword length.
1670  *
1671  * The 'new_key' buffer must be 80 characters in size (for the keyword plus a
1672  * trailing '\0').  If this routine returns 0 then there was no keyword, or a
1673  * valid one could not be generated, and the caller must png_error.
1674  */
1675 png_uint_32 /* PRIVATE */
png_check_keyword(png_structrp png_ptr,png_const_charp key,png_bytep new_key)1676 png_check_keyword(png_structrp png_ptr, png_const_charp key, png_bytep new_key)
1677 {
1678    png_const_charp orig_key = key;
1679    png_uint_32 key_len = 0;
1680    int bad_character = 0;
1681    int space = 1;
1682 
1683    png_debug(1, "in png_check_keyword");
1684 
1685    if (key == NULL)
1686    {
1687       *new_key = 0;
1688       return 0;
1689    }
1690 
1691    while (*key && key_len < 79)
1692    {
1693       png_byte ch = (png_byte)*key++;
1694 
1695       if ((ch > 32 && ch <= 126) || (ch >= 161 /*&& ch <= 255*/))
1696          *new_key++ = ch, ++key_len, space = 0;
1697 
1698       else if (space == 0)
1699       {
1700          /* A space or an invalid character when one wasn't seen immediately
1701           * before; output just a space.
1702           */
1703          *new_key++ = 32, ++key_len, space = 1;
1704 
1705          /* If the character was not a space then it is invalid. */
1706          if (ch != 32)
1707             bad_character = ch;
1708       }
1709 
1710       else if (bad_character == 0)
1711          bad_character = ch; /* just skip it, record the first error */
1712    }
1713 
1714    if (key_len > 0 && space != 0) /* trailing space */
1715    {
1716       --key_len, --new_key;
1717       if (bad_character == 0)
1718          bad_character = 32;
1719    }
1720 
1721    /* Terminate the keyword */
1722    *new_key = 0;
1723 
1724    if (key_len == 0)
1725       return 0;
1726 
1727 #ifdef PNG_WARNINGS_SUPPORTED
1728    /* Try to only output one warning per keyword: */
1729    if (*key != 0) /* keyword too long */
1730       png_warning(png_ptr, "keyword truncated");
1731 
1732    else if (bad_character != 0)
1733    {
1734       PNG_WARNING_PARAMETERS(p)
1735 
1736       png_warning_parameter(p, 1, orig_key);
1737       png_warning_parameter_signed(p, 2, PNG_NUMBER_FORMAT_02x, bad_character);
1738 
1739       png_formatted_warning(png_ptr, p, "keyword \"@1\": bad character '0x@2'");
1740    }
1741 #endif /* WARNINGS */
1742 
1743    return key_len;
1744 }
1745 #endif /* TEXT || pCAL || iCCP || sPLT */
1746 #endif /* READ || WRITE */
1747