1
2 /* pngset.c - storage of image information into info struct
3 *
4 * Last changed in libpng 1.6.21 [January 15, 2016]
5 * Copyright (c) 1998-2015 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 *
13 * The functions here are used during reads to store data from the file
14 * into the info struct, and during writes to store application data
15 * into the info struct for writing into the file. This abstracts the
16 * info struct and allows us to change the structure in the future.
17 */
18
19 #include "pngpriv.h"
20
21 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
22
23 #ifdef PNG_bKGD_SUPPORTED
24 void PNGAPI
png_set_bKGD(png_const_structrp png_ptr,png_inforp info_ptr,png_const_color_16p background)25 png_set_bKGD(png_const_structrp png_ptr, png_inforp info_ptr,
26 png_const_color_16p background)
27 {
28 png_debug1(1, "in %s storage function", "bKGD");
29
30 if (png_ptr == NULL || info_ptr == NULL || background == NULL)
31 return;
32
33 info_ptr->background = *background;
34 info_ptr->valid |= PNG_INFO_bKGD;
35 }
36 #endif
37
38 #ifdef PNG_cHRM_SUPPORTED
39 void PNGFAPI
png_set_cHRM_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point white_x,png_fixed_point white_y,png_fixed_point red_x,png_fixed_point red_y,png_fixed_point green_x,png_fixed_point green_y,png_fixed_point blue_x,png_fixed_point blue_y)40 png_set_cHRM_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
41 png_fixed_point white_x, png_fixed_point white_y, png_fixed_point red_x,
42 png_fixed_point red_y, png_fixed_point green_x, png_fixed_point green_y,
43 png_fixed_point blue_x, png_fixed_point blue_y)
44 {
45 png_xy xy;
46
47 png_debug1(1, "in %s storage function", "cHRM fixed");
48
49 if (png_ptr == NULL || info_ptr == NULL)
50 return;
51
52 xy.redx = red_x;
53 xy.redy = red_y;
54 xy.greenx = green_x;
55 xy.greeny = green_y;
56 xy.bluex = blue_x;
57 xy.bluey = blue_y;
58 xy.whitex = white_x;
59 xy.whitey = white_y;
60
61 if (png_colorspace_set_chromaticities(png_ptr, &info_ptr->colorspace, &xy,
62 2/* override with app values*/) != 0)
63 info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
64
65 png_colorspace_sync_info(png_ptr, info_ptr);
66 }
67
68 void PNGFAPI
png_set_cHRM_XYZ_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point int_red_X,png_fixed_point int_red_Y,png_fixed_point int_red_Z,png_fixed_point int_green_X,png_fixed_point int_green_Y,png_fixed_point int_green_Z,png_fixed_point int_blue_X,png_fixed_point int_blue_Y,png_fixed_point int_blue_Z)69 png_set_cHRM_XYZ_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
70 png_fixed_point int_red_X, png_fixed_point int_red_Y,
71 png_fixed_point int_red_Z, png_fixed_point int_green_X,
72 png_fixed_point int_green_Y, png_fixed_point int_green_Z,
73 png_fixed_point int_blue_X, png_fixed_point int_blue_Y,
74 png_fixed_point int_blue_Z)
75 {
76 png_XYZ XYZ;
77
78 png_debug1(1, "in %s storage function", "cHRM XYZ fixed");
79
80 if (png_ptr == NULL || info_ptr == NULL)
81 return;
82
83 XYZ.red_X = int_red_X;
84 XYZ.red_Y = int_red_Y;
85 XYZ.red_Z = int_red_Z;
86 XYZ.green_X = int_green_X;
87 XYZ.green_Y = int_green_Y;
88 XYZ.green_Z = int_green_Z;
89 XYZ.blue_X = int_blue_X;
90 XYZ.blue_Y = int_blue_Y;
91 XYZ.blue_Z = int_blue_Z;
92
93 if (png_colorspace_set_endpoints(png_ptr, &info_ptr->colorspace,
94 &XYZ, 2) != 0)
95 info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
96
97 png_colorspace_sync_info(png_ptr, info_ptr);
98 }
99
100 # ifdef PNG_FLOATING_POINT_SUPPORTED
101 void PNGAPI
png_set_cHRM(png_const_structrp png_ptr,png_inforp info_ptr,double white_x,double white_y,double red_x,double red_y,double green_x,double green_y,double blue_x,double blue_y)102 png_set_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
103 double white_x, double white_y, double red_x, double red_y,
104 double green_x, double green_y, double blue_x, double blue_y)
105 {
106 png_set_cHRM_fixed(png_ptr, info_ptr,
107 png_fixed(png_ptr, white_x, "cHRM White X"),
108 png_fixed(png_ptr, white_y, "cHRM White Y"),
109 png_fixed(png_ptr, red_x, "cHRM Red X"),
110 png_fixed(png_ptr, red_y, "cHRM Red Y"),
111 png_fixed(png_ptr, green_x, "cHRM Green X"),
112 png_fixed(png_ptr, green_y, "cHRM Green Y"),
113 png_fixed(png_ptr, blue_x, "cHRM Blue X"),
114 png_fixed(png_ptr, blue_y, "cHRM Blue Y"));
115 }
116
117 void PNGAPI
png_set_cHRM_XYZ(png_const_structrp png_ptr,png_inforp info_ptr,double red_X,double red_Y,double red_Z,double green_X,double green_Y,double green_Z,double blue_X,double blue_Y,double blue_Z)118 png_set_cHRM_XYZ(png_const_structrp png_ptr, png_inforp info_ptr, double red_X,
119 double red_Y, double red_Z, double green_X, double green_Y, double green_Z,
120 double blue_X, double blue_Y, double blue_Z)
121 {
122 png_set_cHRM_XYZ_fixed(png_ptr, info_ptr,
123 png_fixed(png_ptr, red_X, "cHRM Red X"),
124 png_fixed(png_ptr, red_Y, "cHRM Red Y"),
125 png_fixed(png_ptr, red_Z, "cHRM Red Z"),
126 png_fixed(png_ptr, green_X, "cHRM Green X"),
127 png_fixed(png_ptr, green_Y, "cHRM Green Y"),
128 png_fixed(png_ptr, green_Z, "cHRM Green Z"),
129 png_fixed(png_ptr, blue_X, "cHRM Blue X"),
130 png_fixed(png_ptr, blue_Y, "cHRM Blue Y"),
131 png_fixed(png_ptr, blue_Z, "cHRM Blue Z"));
132 }
133 # endif /* FLOATING_POINT */
134
135 #endif /* cHRM */
136
137 #ifdef PNG_gAMA_SUPPORTED
138 void PNGFAPI
png_set_gAMA_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point file_gamma)139 png_set_gAMA_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
140 png_fixed_point file_gamma)
141 {
142 png_debug1(1, "in %s storage function", "gAMA");
143
144 if (png_ptr == NULL || info_ptr == NULL)
145 return;
146
147 png_colorspace_set_gamma(png_ptr, &info_ptr->colorspace, file_gamma);
148 png_colorspace_sync_info(png_ptr, info_ptr);
149 }
150
151 # ifdef PNG_FLOATING_POINT_SUPPORTED
152 void PNGAPI
png_set_gAMA(png_const_structrp png_ptr,png_inforp info_ptr,double file_gamma)153 png_set_gAMA(png_const_structrp png_ptr, png_inforp info_ptr, double file_gamma)
154 {
155 png_set_gAMA_fixed(png_ptr, info_ptr, png_fixed(png_ptr, file_gamma,
156 "png_set_gAMA"));
157 }
158 # endif
159 #endif
160
161 #ifdef PNG_hIST_SUPPORTED
162 void PNGAPI
png_set_hIST(png_const_structrp png_ptr,png_inforp info_ptr,png_const_uint_16p hist)163 png_set_hIST(png_const_structrp png_ptr, png_inforp info_ptr,
164 png_const_uint_16p hist)
165 {
166 int i;
167
168 png_debug1(1, "in %s storage function", "hIST");
169
170 if (png_ptr == NULL || info_ptr == NULL)
171 return;
172
173 if (info_ptr->num_palette == 0 || info_ptr->num_palette
174 > PNG_MAX_PALETTE_LENGTH)
175 {
176 png_warning(png_ptr,
177 "Invalid palette size, hIST allocation skipped");
178
179 return;
180 }
181
182 png_free_data(png_ptr, info_ptr, PNG_FREE_HIST, 0);
183
184 /* Changed from info->num_palette to PNG_MAX_PALETTE_LENGTH in
185 * version 1.2.1
186 */
187 info_ptr->hist = png_voidcast(png_uint_16p, png_malloc_warn(png_ptr,
188 PNG_MAX_PALETTE_LENGTH * (sizeof (png_uint_16))));
189
190 if (info_ptr->hist == NULL)
191 {
192 png_warning(png_ptr, "Insufficient memory for hIST chunk data");
193
194 return;
195 }
196
197 info_ptr->free_me |= PNG_FREE_HIST;
198
199 for (i = 0; i < info_ptr->num_palette; i++)
200 info_ptr->hist[i] = hist[i];
201
202 info_ptr->valid |= PNG_INFO_hIST;
203 }
204 #endif
205
206 void PNGAPI
png_set_IHDR(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 width,png_uint_32 height,int bit_depth,int color_type,int interlace_type,int compression_type,int filter_type)207 png_set_IHDR(png_const_structrp png_ptr, png_inforp info_ptr,
208 png_uint_32 width, png_uint_32 height, int bit_depth,
209 int color_type, int interlace_type, int compression_type,
210 int filter_type)
211 {
212 png_debug1(1, "in %s storage function", "IHDR");
213
214 if (png_ptr == NULL || info_ptr == NULL)
215 return;
216
217 info_ptr->width = width;
218 info_ptr->height = height;
219 info_ptr->bit_depth = (png_byte)bit_depth;
220 info_ptr->color_type = (png_byte)color_type;
221 info_ptr->compression_type = (png_byte)compression_type;
222 info_ptr->filter_type = (png_byte)filter_type;
223 info_ptr->interlace_type = (png_byte)interlace_type;
224
225 png_check_IHDR (png_ptr, info_ptr->width, info_ptr->height,
226 info_ptr->bit_depth, info_ptr->color_type, info_ptr->interlace_type,
227 info_ptr->compression_type, info_ptr->filter_type);
228
229 if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
230 info_ptr->channels = 1;
231
232 else if ((info_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
233 info_ptr->channels = 3;
234
235 else
236 info_ptr->channels = 1;
237
238 if ((info_ptr->color_type & PNG_COLOR_MASK_ALPHA) != 0)
239 info_ptr->channels++;
240
241 info_ptr->pixel_depth = (png_byte)(info_ptr->channels * info_ptr->bit_depth);
242
243 info_ptr->rowbytes = PNG_ROWBYTES(info_ptr->pixel_depth, width);
244 }
245
246 #ifdef PNG_oFFs_SUPPORTED
247 void PNGAPI
png_set_oFFs(png_const_structrp png_ptr,png_inforp info_ptr,png_int_32 offset_x,png_int_32 offset_y,int unit_type)248 png_set_oFFs(png_const_structrp png_ptr, png_inforp info_ptr,
249 png_int_32 offset_x, png_int_32 offset_y, int unit_type)
250 {
251 png_debug1(1, "in %s storage function", "oFFs");
252
253 if (png_ptr == NULL || info_ptr == NULL)
254 return;
255
256 info_ptr->x_offset = offset_x;
257 info_ptr->y_offset = offset_y;
258 info_ptr->offset_unit_type = (png_byte)unit_type;
259 info_ptr->valid |= PNG_INFO_oFFs;
260 }
261 #endif
262
263 #ifdef PNG_pCAL_SUPPORTED
264 void PNGAPI
png_set_pCAL(png_const_structrp png_ptr,png_inforp info_ptr,png_const_charp purpose,png_int_32 X0,png_int_32 X1,int type,int nparams,png_const_charp units,png_charpp params)265 png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr,
266 png_const_charp purpose, png_int_32 X0, png_int_32 X1, int type,
267 int nparams, png_const_charp units, png_charpp params)
268 {
269 png_size_t length;
270 int i;
271
272 png_debug1(1, "in %s storage function", "pCAL");
273
274 if (png_ptr == NULL || info_ptr == NULL || purpose == NULL || units == NULL
275 || (nparams > 0 && params == NULL))
276 return;
277
278 length = strlen(purpose) + 1;
279 png_debug1(3, "allocating purpose for info (%lu bytes)",
280 (unsigned long)length);
281
282 /* TODO: validate format of calibration name and unit name */
283
284 /* Check that the type matches the specification. */
285 if (type < 0 || type > 3)
286 {
287 png_chunk_report(png_ptr, "Invalid pCAL equation type",
288 PNG_CHUNK_WRITE_ERROR);
289 return;
290 }
291
292 if (nparams < 0 || nparams > 255)
293 {
294 png_chunk_report(png_ptr, "Invalid pCAL parameter count",
295 PNG_CHUNK_WRITE_ERROR);
296 return;
297 }
298
299 /* Validate params[nparams] */
300 for (i=0; i<nparams; ++i)
301 {
302 if (params[i] == NULL ||
303 !png_check_fp_string(params[i], strlen(params[i])))
304 {
305 png_chunk_report(png_ptr, "Invalid format for pCAL parameter",
306 PNG_CHUNK_WRITE_ERROR);
307 return;
308 }
309 }
310
311 info_ptr->pcal_purpose = png_voidcast(png_charp,
312 png_malloc_warn(png_ptr, length));
313
314 if (info_ptr->pcal_purpose == NULL)
315 {
316 png_chunk_report(png_ptr, "Insufficient memory for pCAL purpose",
317 PNG_CHUNK_WRITE_ERROR);
318 return;
319 }
320
321 memcpy(info_ptr->pcal_purpose, purpose, length);
322
323 png_debug(3, "storing X0, X1, type, and nparams in info");
324 info_ptr->pcal_X0 = X0;
325 info_ptr->pcal_X1 = X1;
326 info_ptr->pcal_type = (png_byte)type;
327 info_ptr->pcal_nparams = (png_byte)nparams;
328
329 length = strlen(units) + 1;
330 png_debug1(3, "allocating units for info (%lu bytes)",
331 (unsigned long)length);
332
333 info_ptr->pcal_units = png_voidcast(png_charp,
334 png_malloc_warn(png_ptr, length));
335
336 if (info_ptr->pcal_units == NULL)
337 {
338 png_warning(png_ptr, "Insufficient memory for pCAL units");
339
340 return;
341 }
342
343 memcpy(info_ptr->pcal_units, units, length);
344
345 info_ptr->pcal_params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
346 (png_size_t)((nparams + 1) * (sizeof (png_charp)))));
347
348 if (info_ptr->pcal_params == NULL)
349 {
350 png_warning(png_ptr, "Insufficient memory for pCAL params");
351
352 return;
353 }
354
355 memset(info_ptr->pcal_params, 0, (nparams + 1) * (sizeof (png_charp)));
356
357 for (i = 0; i < nparams; i++)
358 {
359 length = strlen(params[i]) + 1;
360 png_debug2(3, "allocating parameter %d for info (%lu bytes)", i,
361 (unsigned long)length);
362
363 info_ptr->pcal_params[i] = (png_charp)png_malloc_warn(png_ptr, length);
364
365 if (info_ptr->pcal_params[i] == NULL)
366 {
367 png_warning(png_ptr, "Insufficient memory for pCAL parameter");
368
369 return;
370 }
371
372 memcpy(info_ptr->pcal_params[i], params[i], length);
373 }
374
375 info_ptr->valid |= PNG_INFO_pCAL;
376 info_ptr->free_me |= PNG_FREE_PCAL;
377 }
378 #endif
379
380 #ifdef PNG_sCAL_SUPPORTED
381 void PNGAPI
png_set_sCAL_s(png_const_structrp png_ptr,png_inforp info_ptr,int unit,png_const_charp swidth,png_const_charp sheight)382 png_set_sCAL_s(png_const_structrp png_ptr, png_inforp info_ptr,
383 int unit, png_const_charp swidth, png_const_charp sheight)
384 {
385 png_size_t lengthw = 0, lengthh = 0;
386
387 png_debug1(1, "in %s storage function", "sCAL");
388
389 if (png_ptr == NULL || info_ptr == NULL)
390 return;
391
392 /* Double check the unit (should never get here with an invalid
393 * unit unless this is an API call.)
394 */
395 if (unit != 1 && unit != 2)
396 png_error(png_ptr, "Invalid sCAL unit");
397
398 if (swidth == NULL || (lengthw = strlen(swidth)) == 0 ||
399 swidth[0] == 45 /* '-' */ || !png_check_fp_string(swidth, lengthw))
400 png_error(png_ptr, "Invalid sCAL width");
401
402 if (sheight == NULL || (lengthh = strlen(sheight)) == 0 ||
403 sheight[0] == 45 /* '-' */ || !png_check_fp_string(sheight, lengthh))
404 png_error(png_ptr, "Invalid sCAL height");
405
406 info_ptr->scal_unit = (png_byte)unit;
407
408 ++lengthw;
409
410 png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthw);
411
412 info_ptr->scal_s_width = png_voidcast(png_charp,
413 png_malloc_warn(png_ptr, lengthw));
414
415 if (info_ptr->scal_s_width == NULL)
416 {
417 png_warning(png_ptr, "Memory allocation failed while processing sCAL");
418
419 return;
420 }
421
422 memcpy(info_ptr->scal_s_width, swidth, lengthw);
423
424 ++lengthh;
425
426 png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthh);
427
428 info_ptr->scal_s_height = png_voidcast(png_charp,
429 png_malloc_warn(png_ptr, lengthh));
430
431 if (info_ptr->scal_s_height == NULL)
432 {
433 png_free (png_ptr, info_ptr->scal_s_width);
434 info_ptr->scal_s_width = NULL;
435
436 png_warning(png_ptr, "Memory allocation failed while processing sCAL");
437
438 return;
439 }
440
441 memcpy(info_ptr->scal_s_height, sheight, lengthh);
442
443 info_ptr->valid |= PNG_INFO_sCAL;
444 info_ptr->free_me |= PNG_FREE_SCAL;
445 }
446
447 # ifdef PNG_FLOATING_POINT_SUPPORTED
448 void PNGAPI
png_set_sCAL(png_const_structrp png_ptr,png_inforp info_ptr,int unit,double width,double height)449 png_set_sCAL(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
450 double width, double height)
451 {
452 png_debug1(1, "in %s storage function", "sCAL");
453
454 /* Check the arguments. */
455 if (width <= 0)
456 png_warning(png_ptr, "Invalid sCAL width ignored");
457
458 else if (height <= 0)
459 png_warning(png_ptr, "Invalid sCAL height ignored");
460
461 else
462 {
463 /* Convert 'width' and 'height' to ASCII. */
464 char swidth[PNG_sCAL_MAX_DIGITS+1];
465 char sheight[PNG_sCAL_MAX_DIGITS+1];
466
467 png_ascii_from_fp(png_ptr, swidth, (sizeof swidth), width,
468 PNG_sCAL_PRECISION);
469 png_ascii_from_fp(png_ptr, sheight, (sizeof sheight), height,
470 PNG_sCAL_PRECISION);
471
472 png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
473 }
474 }
475 # endif
476
477 # ifdef PNG_FIXED_POINT_SUPPORTED
478 void PNGAPI
png_set_sCAL_fixed(png_const_structrp png_ptr,png_inforp info_ptr,int unit,png_fixed_point width,png_fixed_point height)479 png_set_sCAL_fixed(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
480 png_fixed_point width, png_fixed_point height)
481 {
482 png_debug1(1, "in %s storage function", "sCAL");
483
484 /* Check the arguments. */
485 if (width <= 0)
486 png_warning(png_ptr, "Invalid sCAL width ignored");
487
488 else if (height <= 0)
489 png_warning(png_ptr, "Invalid sCAL height ignored");
490
491 else
492 {
493 /* Convert 'width' and 'height' to ASCII. */
494 char swidth[PNG_sCAL_MAX_DIGITS+1];
495 char sheight[PNG_sCAL_MAX_DIGITS+1];
496
497 png_ascii_from_fixed(png_ptr, swidth, (sizeof swidth), width);
498 png_ascii_from_fixed(png_ptr, sheight, (sizeof sheight), height);
499
500 png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
501 }
502 }
503 # endif
504 #endif
505
506 #ifdef PNG_pHYs_SUPPORTED
507 void PNGAPI
png_set_pHYs(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 res_x,png_uint_32 res_y,int unit_type)508 png_set_pHYs(png_const_structrp png_ptr, png_inforp info_ptr,
509 png_uint_32 res_x, png_uint_32 res_y, int unit_type)
510 {
511 png_debug1(1, "in %s storage function", "pHYs");
512
513 if (png_ptr == NULL || info_ptr == NULL)
514 return;
515
516 info_ptr->x_pixels_per_unit = res_x;
517 info_ptr->y_pixels_per_unit = res_y;
518 info_ptr->phys_unit_type = (png_byte)unit_type;
519 info_ptr->valid |= PNG_INFO_pHYs;
520 }
521 #endif
522
523 void PNGAPI
png_set_PLTE(png_structrp png_ptr,png_inforp info_ptr,png_const_colorp palette,int num_palette)524 png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
525 png_const_colorp palette, int num_palette)
526 {
527
528 png_uint_32 max_palette_length;
529
530 png_debug1(1, "in %s storage function", "PLTE");
531
532 if (png_ptr == NULL || info_ptr == NULL)
533 return;
534
535 max_palette_length = (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
536 (1 << info_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
537
538 if (num_palette < 0 || num_palette > (int) max_palette_length)
539 {
540 if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
541 png_error(png_ptr, "Invalid palette length");
542
543 else
544 {
545 png_warning(png_ptr, "Invalid palette length");
546
547 return;
548 }
549 }
550
551 if ((num_palette > 0 && palette == NULL) ||
552 (num_palette == 0
553 # ifdef PNG_MNG_FEATURES_SUPPORTED
554 && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0
555 # endif
556 ))
557 {
558 png_error(png_ptr, "Invalid palette");
559 }
560
561 /* It may not actually be necessary to set png_ptr->palette here;
562 * we do it for backward compatibility with the way the png_handle_tRNS
563 * function used to do the allocation.
564 *
565 * 1.6.0: the above statement appears to be incorrect; something has to set
566 * the palette inside png_struct on read.
567 */
568 png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
569
570 /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
571 * of num_palette entries, in case of an invalid PNG file or incorrect
572 * call to png_set_PLTE() with too-large sample values.
573 */
574 png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
575 PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
576
577 if (num_palette > 0)
578 memcpy(png_ptr->palette, palette, num_palette * (sizeof (png_color)));
579 info_ptr->palette = png_ptr->palette;
580 info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
581
582 info_ptr->free_me |= PNG_FREE_PLTE;
583
584 info_ptr->valid |= PNG_INFO_PLTE;
585 }
586
587 #ifdef PNG_sBIT_SUPPORTED
588 void PNGAPI
png_set_sBIT(png_const_structrp png_ptr,png_inforp info_ptr,png_const_color_8p sig_bit)589 png_set_sBIT(png_const_structrp png_ptr, png_inforp info_ptr,
590 png_const_color_8p sig_bit)
591 {
592 png_debug1(1, "in %s storage function", "sBIT");
593
594 if (png_ptr == NULL || info_ptr == NULL || sig_bit == NULL)
595 return;
596
597 info_ptr->sig_bit = *sig_bit;
598 info_ptr->valid |= PNG_INFO_sBIT;
599 }
600 #endif
601
602 #ifdef PNG_sRGB_SUPPORTED
603 void PNGAPI
png_set_sRGB(png_const_structrp png_ptr,png_inforp info_ptr,int srgb_intent)604 png_set_sRGB(png_const_structrp png_ptr, png_inforp info_ptr, int srgb_intent)
605 {
606 png_debug1(1, "in %s storage function", "sRGB");
607
608 if (png_ptr == NULL || info_ptr == NULL)
609 return;
610
611 (void)png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace, srgb_intent);
612 png_colorspace_sync_info(png_ptr, info_ptr);
613 }
614
615 void PNGAPI
png_set_sRGB_gAMA_and_cHRM(png_const_structrp png_ptr,png_inforp info_ptr,int srgb_intent)616 png_set_sRGB_gAMA_and_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
617 int srgb_intent)
618 {
619 png_debug1(1, "in %s storage function", "sRGB_gAMA_and_cHRM");
620
621 if (png_ptr == NULL || info_ptr == NULL)
622 return;
623
624 if (png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace,
625 srgb_intent) != 0)
626 {
627 /* This causes the gAMA and cHRM to be written too */
628 info_ptr->colorspace.flags |=
629 PNG_COLORSPACE_FROM_gAMA|PNG_COLORSPACE_FROM_cHRM;
630 }
631
632 png_colorspace_sync_info(png_ptr, info_ptr);
633 }
634 #endif /* sRGB */
635
636
637 #ifdef PNG_iCCP_SUPPORTED
638 void PNGAPI
png_set_iCCP(png_const_structrp png_ptr,png_inforp info_ptr,png_const_charp name,int compression_type,png_const_bytep profile,png_uint_32 proflen)639 png_set_iCCP(png_const_structrp png_ptr, png_inforp info_ptr,
640 png_const_charp name, int compression_type,
641 png_const_bytep profile, png_uint_32 proflen)
642 {
643 png_charp new_iccp_name;
644 png_bytep new_iccp_profile;
645 png_size_t length;
646
647 png_debug1(1, "in %s storage function", "iCCP");
648
649 if (png_ptr == NULL || info_ptr == NULL || name == NULL || profile == NULL)
650 return;
651
652 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
653 png_app_error(png_ptr, "Invalid iCCP compression method");
654
655 /* Set the colorspace first because this validates the profile; do not
656 * override previously set app cHRM or gAMA here (because likely as not the
657 * application knows better than libpng what the correct values are.) Pass
658 * the info_ptr color_type field to png_colorspace_set_ICC because in the
659 * write case it has not yet been stored in png_ptr.
660 */
661 {
662 int result = png_colorspace_set_ICC(png_ptr, &info_ptr->colorspace, name,
663 proflen, profile, info_ptr->color_type);
664
665 png_colorspace_sync_info(png_ptr, info_ptr);
666
667 /* Don't do any of the copying if the profile was bad, or inconsistent. */
668 if (result == 0)
669 return;
670
671 /* But do write the gAMA and cHRM chunks from the profile. */
672 info_ptr->colorspace.flags |=
673 PNG_COLORSPACE_FROM_gAMA|PNG_COLORSPACE_FROM_cHRM;
674 }
675
676 length = strlen(name)+1;
677 new_iccp_name = png_voidcast(png_charp, png_malloc_warn(png_ptr, length));
678
679 if (new_iccp_name == NULL)
680 {
681 png_benign_error(png_ptr, "Insufficient memory to process iCCP chunk");
682
683 return;
684 }
685
686 memcpy(new_iccp_name, name, length);
687 new_iccp_profile = png_voidcast(png_bytep,
688 png_malloc_warn(png_ptr, proflen));
689
690 if (new_iccp_profile == NULL)
691 {
692 png_free(png_ptr, new_iccp_name);
693 png_benign_error(png_ptr,
694 "Insufficient memory to process iCCP profile");
695
696 return;
697 }
698
699 memcpy(new_iccp_profile, profile, proflen);
700
701 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, 0);
702
703 info_ptr->iccp_proflen = proflen;
704 info_ptr->iccp_name = new_iccp_name;
705 info_ptr->iccp_profile = new_iccp_profile;
706 info_ptr->free_me |= PNG_FREE_ICCP;
707 info_ptr->valid |= PNG_INFO_iCCP;
708 }
709 #endif
710
711 #ifdef PNG_TEXT_SUPPORTED
712 void PNGAPI
png_set_text(png_const_structrp png_ptr,png_inforp info_ptr,png_const_textp text_ptr,int num_text)713 png_set_text(png_const_structrp png_ptr, png_inforp info_ptr,
714 png_const_textp text_ptr, int num_text)
715 {
716 int ret;
717 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, num_text);
718
719 if (ret != 0)
720 png_error(png_ptr, "Insufficient memory to store text");
721 }
722
723 int /* PRIVATE */
png_set_text_2(png_const_structrp png_ptr,png_inforp info_ptr,png_const_textp text_ptr,int num_text)724 png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
725 png_const_textp text_ptr, int num_text)
726 {
727 int i;
728
729 png_debug1(1, "in %lx storage function", png_ptr == NULL ? 0xabadca11U :
730 (unsigned long)png_ptr->chunk_name);
731
732 if (png_ptr == NULL || info_ptr == NULL || num_text <= 0 || text_ptr == NULL)
733 return(0);
734
735 /* Make sure we have enough space in the "text" array in info_struct
736 * to hold all of the incoming text_ptr objects. This compare can't overflow
737 * because max_text >= num_text (anyway, subtract of two positive integers
738 * can't overflow in any case.)
739 */
740 if (num_text > info_ptr->max_text - info_ptr->num_text)
741 {
742 int old_num_text = info_ptr->num_text;
743 int max_text;
744 png_textp new_text = NULL;
745
746 /* Calculate an appropriate max_text, checking for overflow. */
747 max_text = old_num_text;
748 if (num_text <= INT_MAX - max_text)
749 {
750 max_text += num_text;
751
752 /* Round up to a multiple of 8 */
753 if (max_text < INT_MAX-8)
754 max_text = (max_text + 8) & ~0x7;
755
756 else
757 max_text = INT_MAX;
758
759 /* Now allocate a new array and copy the old members in; this does all
760 * the overflow checks.
761 */
762 new_text = png_voidcast(png_textp,png_realloc_array(png_ptr,
763 info_ptr->text, old_num_text, max_text-old_num_text,
764 sizeof *new_text));
765 }
766
767 if (new_text == NULL)
768 {
769 png_chunk_report(png_ptr, "too many text chunks",
770 PNG_CHUNK_WRITE_ERROR);
771
772 return 1;
773 }
774
775 png_free(png_ptr, info_ptr->text);
776
777 info_ptr->text = new_text;
778 info_ptr->free_me |= PNG_FREE_TEXT;
779 info_ptr->max_text = max_text;
780 /* num_text is adjusted below as the entries are copied in */
781
782 png_debug1(3, "allocated %d entries for info_ptr->text", max_text);
783 }
784
785 for (i = 0; i < num_text; i++)
786 {
787 size_t text_length, key_len;
788 size_t lang_len, lang_key_len;
789 png_textp textp = &(info_ptr->text[info_ptr->num_text]);
790
791 if (text_ptr[i].key == NULL)
792 continue;
793
794 if (text_ptr[i].compression < PNG_TEXT_COMPRESSION_NONE ||
795 text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST)
796 {
797 png_chunk_report(png_ptr, "text compression mode is out of range",
798 PNG_CHUNK_WRITE_ERROR);
799 continue;
800 }
801
802 key_len = strlen(text_ptr[i].key);
803
804 if (text_ptr[i].compression <= 0)
805 {
806 lang_len = 0;
807 lang_key_len = 0;
808 }
809
810 else
811 # ifdef PNG_iTXt_SUPPORTED
812 {
813 /* Set iTXt data */
814
815 if (text_ptr[i].lang != NULL)
816 lang_len = strlen(text_ptr[i].lang);
817
818 else
819 lang_len = 0;
820
821 if (text_ptr[i].lang_key != NULL)
822 lang_key_len = strlen(text_ptr[i].lang_key);
823
824 else
825 lang_key_len = 0;
826 }
827 # else /* iTXt */
828 {
829 png_chunk_report(png_ptr, "iTXt chunk not supported",
830 PNG_CHUNK_WRITE_ERROR);
831 continue;
832 }
833 # endif
834
835 if (text_ptr[i].text == NULL || text_ptr[i].text[0] == '\0')
836 {
837 text_length = 0;
838 # ifdef PNG_iTXt_SUPPORTED
839 if (text_ptr[i].compression > 0)
840 textp->compression = PNG_ITXT_COMPRESSION_NONE;
841
842 else
843 # endif
844 textp->compression = PNG_TEXT_COMPRESSION_NONE;
845 }
846
847 else
848 {
849 text_length = strlen(text_ptr[i].text);
850 textp->compression = text_ptr[i].compression;
851 }
852
853 textp->key = png_voidcast(png_charp,png_malloc_base(png_ptr,
854 key_len + text_length + lang_len + lang_key_len + 4));
855
856 if (textp->key == NULL)
857 {
858 png_chunk_report(png_ptr, "text chunk: out of memory",
859 PNG_CHUNK_WRITE_ERROR);
860
861 return 1;
862 }
863
864 png_debug2(2, "Allocated %lu bytes at %p in png_set_text",
865 (unsigned long)(png_uint_32)
866 (key_len + lang_len + lang_key_len + text_length + 4),
867 textp->key);
868
869 memcpy(textp->key, text_ptr[i].key, key_len);
870 *(textp->key + key_len) = '\0';
871
872 if (text_ptr[i].compression > 0)
873 {
874 textp->lang = textp->key + key_len + 1;
875 memcpy(textp->lang, text_ptr[i].lang, lang_len);
876 *(textp->lang + lang_len) = '\0';
877 textp->lang_key = textp->lang + lang_len + 1;
878 memcpy(textp->lang_key, text_ptr[i].lang_key, lang_key_len);
879 *(textp->lang_key + lang_key_len) = '\0';
880 textp->text = textp->lang_key + lang_key_len + 1;
881 }
882
883 else
884 {
885 textp->lang=NULL;
886 textp->lang_key=NULL;
887 textp->text = textp->key + key_len + 1;
888 }
889
890 if (text_length != 0)
891 memcpy(textp->text, text_ptr[i].text, text_length);
892
893 *(textp->text + text_length) = '\0';
894
895 # ifdef PNG_iTXt_SUPPORTED
896 if (textp->compression > 0)
897 {
898 textp->text_length = 0;
899 textp->itxt_length = text_length;
900 }
901
902 else
903 # endif
904 {
905 textp->text_length = text_length;
906 textp->itxt_length = 0;
907 }
908
909 info_ptr->num_text++;
910 png_debug1(3, "transferred text chunk %d", info_ptr->num_text);
911 }
912
913 return(0);
914 }
915 #endif
916
917 #ifdef PNG_tIME_SUPPORTED
918 void PNGAPI
png_set_tIME(png_const_structrp png_ptr,png_inforp info_ptr,png_const_timep mod_time)919 png_set_tIME(png_const_structrp png_ptr, png_inforp info_ptr,
920 png_const_timep mod_time)
921 {
922 png_debug1(1, "in %s storage function", "tIME");
923
924 if (png_ptr == NULL || info_ptr == NULL || mod_time == NULL ||
925 (png_ptr->mode & PNG_WROTE_tIME) != 0)
926 return;
927
928 if (mod_time->month == 0 || mod_time->month > 12 ||
929 mod_time->day == 0 || mod_time->day > 31 ||
930 mod_time->hour > 23 || mod_time->minute > 59 ||
931 mod_time->second > 60)
932 {
933 png_warning(png_ptr, "Ignoring invalid time value");
934
935 return;
936 }
937
938 info_ptr->mod_time = *mod_time;
939 info_ptr->valid |= PNG_INFO_tIME;
940 }
941 #endif
942
943 #ifdef PNG_tRNS_SUPPORTED
944 void PNGAPI
png_set_tRNS(png_structrp png_ptr,png_inforp info_ptr,png_const_bytep trans_alpha,int num_trans,png_const_color_16p trans_color)945 png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr,
946 png_const_bytep trans_alpha, int num_trans, png_const_color_16p trans_color)
947 {
948 png_debug1(1, "in %s storage function", "tRNS");
949
950 if (png_ptr == NULL || info_ptr == NULL)
951
952 return;
953
954 if (trans_alpha != NULL)
955 {
956 /* It may not actually be necessary to set png_ptr->trans_alpha here;
957 * we do it for backward compatibility with the way the png_handle_tRNS
958 * function used to do the allocation.
959 *
960 * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
961 * relies on png_set_tRNS storing the information in png_struct
962 * (otherwise it won't be there for the code in pngrtran.c).
963 */
964
965 png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
966
967 if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
968 {
969 /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
970 info_ptr->trans_alpha = png_voidcast(png_bytep,
971 png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
972
973 memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
974 }
975 png_ptr->trans_alpha = info_ptr->trans_alpha;
976 }
977
978 if (trans_color != NULL)
979 {
980 #ifdef PNG_WARNINGS_SUPPORTED
981 if (info_ptr->bit_depth < 16)
982 {
983 int sample_max = (1 << info_ptr->bit_depth) - 1;
984
985 if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
986 trans_color->gray > sample_max) ||
987 (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
988 (trans_color->red > sample_max ||
989 trans_color->green > sample_max ||
990 trans_color->blue > sample_max)))
991 png_warning(png_ptr,
992 "tRNS chunk has out-of-range samples for bit_depth");
993 }
994 #endif
995
996 info_ptr->trans_color = *trans_color;
997
998 if (num_trans == 0)
999 num_trans = 1;
1000 }
1001
1002 info_ptr->num_trans = (png_uint_16)num_trans;
1003
1004 if (num_trans != 0)
1005 {
1006 info_ptr->valid |= PNG_INFO_tRNS;
1007 info_ptr->free_me |= PNG_FREE_TRNS;
1008 }
1009 }
1010 #endif
1011
1012 #ifdef PNG_sPLT_SUPPORTED
1013 void PNGAPI
png_set_sPLT(png_const_structrp png_ptr,png_inforp info_ptr,png_const_sPLT_tp entries,int nentries)1014 png_set_sPLT(png_const_structrp png_ptr,
1015 png_inforp info_ptr, png_const_sPLT_tp entries, int nentries)
1016 /*
1017 * entries - array of png_sPLT_t structures
1018 * to be added to the list of palettes
1019 * in the info structure.
1020 *
1021 * nentries - number of palette structures to be
1022 * added.
1023 */
1024 {
1025 png_sPLT_tp np;
1026
1027 if (png_ptr == NULL || info_ptr == NULL || nentries <= 0 || entries == NULL)
1028 return;
1029
1030 /* Use the internal realloc function, which checks for all the possible
1031 * overflows. Notice that the parameters are (int) and (size_t)
1032 */
1033 np = png_voidcast(png_sPLT_tp,png_realloc_array(png_ptr,
1034 info_ptr->splt_palettes, info_ptr->splt_palettes_num, nentries,
1035 sizeof *np));
1036
1037 if (np == NULL)
1038 {
1039 /* Out of memory or too many chunks */
1040 png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR);
1041
1042 return;
1043 }
1044
1045 png_free(png_ptr, info_ptr->splt_palettes);
1046 info_ptr->splt_palettes = np;
1047 info_ptr->free_me |= PNG_FREE_SPLT;
1048
1049 np += info_ptr->splt_palettes_num;
1050
1051 do
1052 {
1053 png_size_t length;
1054
1055 /* Skip invalid input entries */
1056 if (entries->name == NULL || entries->entries == NULL)
1057 {
1058 /* png_handle_sPLT doesn't do this, so this is an app error */
1059 png_app_error(png_ptr, "png_set_sPLT: invalid sPLT");
1060 /* Just skip the invalid entry */
1061 continue;
1062 }
1063
1064 np->depth = entries->depth;
1065
1066 /* In the event of out-of-memory just return - there's no point keeping
1067 * on trying to add sPLT chunks.
1068 */
1069 length = strlen(entries->name) + 1;
1070 np->name = png_voidcast(png_charp, png_malloc_base(png_ptr, length));
1071
1072 if (np->name == NULL)
1073 break;
1074
1075 memcpy(np->name, entries->name, length);
1076
1077 /* IMPORTANT: we have memory now that won't get freed if something else
1078 * goes wrong; this code must free it. png_malloc_array produces no
1079 * warnings; use a png_chunk_report (below) if there is an error.
1080 */
1081 np->entries = png_voidcast(png_sPLT_entryp, png_malloc_array(png_ptr,
1082 entries->nentries, sizeof (png_sPLT_entry)));
1083
1084 if (np->entries == NULL)
1085 {
1086 png_free(png_ptr, np->name);
1087 np->name = NULL;
1088 break;
1089 }
1090
1091 np->nentries = entries->nentries;
1092 /* This multiply can't overflow because png_malloc_array has already
1093 * checked it when doing the allocation.
1094 */
1095 memcpy(np->entries, entries->entries,
1096 entries->nentries * sizeof (png_sPLT_entry));
1097
1098 /* Note that 'continue' skips the advance of the out pointer and out
1099 * count, so an invalid entry is not added.
1100 */
1101 info_ptr->valid |= PNG_INFO_sPLT;
1102 ++(info_ptr->splt_palettes_num);
1103 ++np;
1104 }
1105 while (++entries, --nentries);
1106
1107 if (nentries > 0)
1108 png_chunk_report(png_ptr, "sPLT out of memory", PNG_CHUNK_WRITE_ERROR);
1109 }
1110 #endif /* sPLT */
1111
1112 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
1113 static png_byte
check_location(png_const_structrp png_ptr,int location)1114 check_location(png_const_structrp png_ptr, int location)
1115 {
1116 location &= (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT);
1117
1118 /* New in 1.6.0; copy the location and check it. This is an API
1119 * change; previously the app had to use the
1120 * png_set_unknown_chunk_location API below for each chunk.
1121 */
1122 if (location == 0 && (png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1123 {
1124 /* Write struct, so unknown chunks come from the app */
1125 png_app_warning(png_ptr,
1126 "png_set_unknown_chunks now expects a valid location");
1127 /* Use the old behavior */
1128 location = (png_byte)(png_ptr->mode &
1129 (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT));
1130 }
1131
1132 /* This need not be an internal error - if the app calls
1133 * png_set_unknown_chunks on a read pointer it must get the location right.
1134 */
1135 if (location == 0)
1136 png_error(png_ptr, "invalid location in png_set_unknown_chunks");
1137
1138 /* Now reduce the location to the top-most set bit by removing each least
1139 * significant bit in turn.
1140 */
1141 while (location != (location & -location))
1142 location &= ~(location & -location);
1143
1144 /* The cast is safe because 'location' is a bit mask and only the low four
1145 * bits are significant.
1146 */
1147 return (png_byte)location;
1148 }
1149
1150 void PNGAPI
png_set_unknown_chunks(png_const_structrp png_ptr,png_inforp info_ptr,png_const_unknown_chunkp unknowns,int num_unknowns)1151 png_set_unknown_chunks(png_const_structrp png_ptr,
1152 png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns)
1153 {
1154 png_unknown_chunkp np;
1155
1156 if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0 ||
1157 unknowns == NULL)
1158 return;
1159
1160 /* Check for the failure cases where support has been disabled at compile
1161 * time. This code is hardly ever compiled - it's here because
1162 * STORE_UNKNOWN_CHUNKS is set by both read and write code (compiling in this
1163 * code) but may be meaningless if the read or write handling of unknown
1164 * chunks is not compiled in.
1165 */
1166 # if !defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) && \
1167 defined(PNG_READ_SUPPORTED)
1168 if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1169 {
1170 png_app_error(png_ptr, "no unknown chunk support on read");
1171
1172 return;
1173 }
1174 # endif
1175 # if !defined(PNG_WRITE_UNKNOWN_CHUNKS_SUPPORTED) && \
1176 defined(PNG_WRITE_SUPPORTED)
1177 if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1178 {
1179 png_app_error(png_ptr, "no unknown chunk support on write");
1180
1181 return;
1182 }
1183 # endif
1184
1185 /* Prior to 1.6.0 this code used png_malloc_warn; however, this meant that
1186 * unknown critical chunks could be lost with just a warning resulting in
1187 * undefined behavior. Now png_chunk_report is used to provide behavior
1188 * appropriate to read or write.
1189 */
1190 np = png_voidcast(png_unknown_chunkp, png_realloc_array(png_ptr,
1191 info_ptr->unknown_chunks, info_ptr->unknown_chunks_num, num_unknowns,
1192 sizeof *np));
1193
1194 if (np == NULL)
1195 {
1196 png_chunk_report(png_ptr, "too many unknown chunks",
1197 PNG_CHUNK_WRITE_ERROR);
1198
1199 return;
1200 }
1201
1202 png_free(png_ptr, info_ptr->unknown_chunks);
1203 info_ptr->unknown_chunks = np; /* safe because it is initialized */
1204 info_ptr->free_me |= PNG_FREE_UNKN;
1205
1206 np += info_ptr->unknown_chunks_num;
1207
1208 /* Increment unknown_chunks_num each time round the loop to protect the
1209 * just-allocated chunk data.
1210 */
1211 for (; num_unknowns > 0; --num_unknowns, ++unknowns)
1212 {
1213 memcpy(np->name, unknowns->name, (sizeof np->name));
1214 np->name[(sizeof np->name)-1] = '\0';
1215 np->location = check_location(png_ptr, unknowns->location);
1216
1217 if (unknowns->size == 0)
1218 {
1219 np->data = NULL;
1220 np->size = 0;
1221 }
1222
1223 else
1224 {
1225 np->data = png_voidcast(png_bytep,
1226 png_malloc_base(png_ptr, unknowns->size));
1227
1228 if (np->data == NULL)
1229 {
1230 png_chunk_report(png_ptr, "unknown chunk: out of memory",
1231 PNG_CHUNK_WRITE_ERROR);
1232 /* But just skip storing the unknown chunk */
1233 continue;
1234 }
1235
1236 memcpy(np->data, unknowns->data, unknowns->size);
1237 np->size = unknowns->size;
1238 }
1239
1240 /* These increments are skipped on out-of-memory for the data - the
1241 * unknown chunk entry gets overwritten if the png_chunk_report returns.
1242 * This is correct in the read case (the chunk is just dropped.)
1243 */
1244 ++np;
1245 ++(info_ptr->unknown_chunks_num);
1246 }
1247 }
1248
1249 void PNGAPI
png_set_unknown_chunk_location(png_const_structrp png_ptr,png_inforp info_ptr,int chunk,int location)1250 png_set_unknown_chunk_location(png_const_structrp png_ptr, png_inforp info_ptr,
1251 int chunk, int location)
1252 {
1253 /* This API is pretty pointless in 1.6.0 because the location can be set
1254 * before the call to png_set_unknown_chunks.
1255 *
1256 * TODO: add a png_app_warning in 1.7
1257 */
1258 if (png_ptr != NULL && info_ptr != NULL && chunk >= 0 &&
1259 chunk < info_ptr->unknown_chunks_num)
1260 {
1261 if ((location & (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT)) == 0)
1262 {
1263 png_app_error(png_ptr, "invalid unknown chunk location");
1264 /* Fake out the pre 1.6.0 behavior: */
1265 if ((location & PNG_HAVE_IDAT) != 0) /* undocumented! */
1266 location = PNG_AFTER_IDAT;
1267
1268 else
1269 location = PNG_HAVE_IHDR; /* also undocumented */
1270 }
1271
1272 info_ptr->unknown_chunks[chunk].location =
1273 check_location(png_ptr, location);
1274 }
1275 }
1276 #endif /* STORE_UNKNOWN_CHUNKS */
1277
1278 #ifdef PNG_MNG_FEATURES_SUPPORTED
1279 png_uint_32 PNGAPI
png_permit_mng_features(png_structrp png_ptr,png_uint_32 mng_features)1280 png_permit_mng_features (png_structrp png_ptr, png_uint_32 mng_features)
1281 {
1282 png_debug(1, "in png_permit_mng_features");
1283
1284 if (png_ptr == NULL)
1285 return 0;
1286
1287 png_ptr->mng_features_permitted = mng_features & PNG_ALL_MNG_FEATURES;
1288
1289 return png_ptr->mng_features_permitted;
1290 }
1291 #endif
1292
1293 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
1294 static unsigned int
add_one_chunk(png_bytep list,unsigned int count,png_const_bytep add,int keep)1295 add_one_chunk(png_bytep list, unsigned int count, png_const_bytep add, int keep)
1296 {
1297 unsigned int i;
1298
1299 /* Utility function: update the 'keep' state of a chunk if it is already in
1300 * the list, otherwise add it to the list.
1301 */
1302 for (i=0; i<count; ++i, list += 5)
1303 {
1304 if (memcmp(list, add, 4) == 0)
1305 {
1306 list[4] = (png_byte)keep;
1307
1308 return count;
1309 }
1310 }
1311
1312 if (keep != PNG_HANDLE_CHUNK_AS_DEFAULT)
1313 {
1314 ++count;
1315 memcpy(list, add, 4);
1316 list[4] = (png_byte)keep;
1317 }
1318
1319 return count;
1320 }
1321
1322 void PNGAPI
png_set_keep_unknown_chunks(png_structrp png_ptr,int keep,png_const_bytep chunk_list,int num_chunks_in)1323 png_set_keep_unknown_chunks(png_structrp png_ptr, int keep,
1324 png_const_bytep chunk_list, int num_chunks_in)
1325 {
1326 png_bytep new_list;
1327 unsigned int num_chunks, old_num_chunks;
1328
1329 if (png_ptr == NULL)
1330 return;
1331
1332 if (keep < 0 || keep >= PNG_HANDLE_CHUNK_LAST)
1333 {
1334 png_app_error(png_ptr, "png_set_keep_unknown_chunks: invalid keep");
1335
1336 return;
1337 }
1338
1339 if (num_chunks_in <= 0)
1340 {
1341 png_ptr->unknown_default = keep;
1342
1343 /* '0' means just set the flags, so stop here */
1344 if (num_chunks_in == 0)
1345 return;
1346 }
1347
1348 if (num_chunks_in < 0)
1349 {
1350 /* Ignore all unknown chunks and all chunks recognized by
1351 * libpng except for IHDR, PLTE, tRNS, IDAT, and IEND
1352 */
1353 static PNG_CONST png_byte chunks_to_ignore[] = {
1354 98, 75, 71, 68, '\0', /* bKGD */
1355 99, 72, 82, 77, '\0', /* cHRM */
1356 103, 65, 77, 65, '\0', /* gAMA */
1357 104, 73, 83, 84, '\0', /* hIST */
1358 105, 67, 67, 80, '\0', /* iCCP */
1359 105, 84, 88, 116, '\0', /* iTXt */
1360 111, 70, 70, 115, '\0', /* oFFs */
1361 112, 67, 65, 76, '\0', /* pCAL */
1362 112, 72, 89, 115, '\0', /* pHYs */
1363 115, 66, 73, 84, '\0', /* sBIT */
1364 115, 67, 65, 76, '\0', /* sCAL */
1365 115, 80, 76, 84, '\0', /* sPLT */
1366 115, 84, 69, 82, '\0', /* sTER */
1367 115, 82, 71, 66, '\0', /* sRGB */
1368 116, 69, 88, 116, '\0', /* tEXt */
1369 116, 73, 77, 69, '\0', /* tIME */
1370 122, 84, 88, 116, '\0' /* zTXt */
1371 };
1372
1373 chunk_list = chunks_to_ignore;
1374 num_chunks = (unsigned int)/*SAFE*/(sizeof chunks_to_ignore)/5U;
1375 }
1376
1377 else /* num_chunks_in > 0 */
1378 {
1379 if (chunk_list == NULL)
1380 {
1381 /* Prior to 1.6.0 this was silently ignored, now it is an app_error
1382 * which can be switched off.
1383 */
1384 png_app_error(png_ptr, "png_set_keep_unknown_chunks: no chunk list");
1385
1386 return;
1387 }
1388
1389 num_chunks = num_chunks_in;
1390 }
1391
1392 old_num_chunks = png_ptr->num_chunk_list;
1393 if (png_ptr->chunk_list == NULL)
1394 old_num_chunks = 0;
1395
1396 /* Since num_chunks is always restricted to UINT_MAX/5 this can't overflow.
1397 */
1398 if (num_chunks + old_num_chunks > UINT_MAX/5)
1399 {
1400 png_app_error(png_ptr, "png_set_keep_unknown_chunks: too many chunks");
1401
1402 return;
1403 }
1404
1405 /* If these chunks are being reset to the default then no more memory is
1406 * required because add_one_chunk above doesn't extend the list if the 'keep'
1407 * parameter is the default.
1408 */
1409 if (keep != 0)
1410 {
1411 new_list = png_voidcast(png_bytep, png_malloc(png_ptr,
1412 5 * (num_chunks + old_num_chunks)));
1413
1414 if (old_num_chunks > 0)
1415 memcpy(new_list, png_ptr->chunk_list, 5*old_num_chunks);
1416 }
1417
1418 else if (old_num_chunks > 0)
1419 new_list = png_ptr->chunk_list;
1420
1421 else
1422 new_list = NULL;
1423
1424 /* Add the new chunks together with each one's handling code. If the chunk
1425 * already exists the code is updated, otherwise the chunk is added to the
1426 * end. (In libpng 1.6.0 order no longer matters because this code enforces
1427 * the earlier convention that the last setting is the one that is used.)
1428 */
1429 if (new_list != NULL)
1430 {
1431 png_const_bytep inlist;
1432 png_bytep outlist;
1433 unsigned int i;
1434
1435 for (i=0; i<num_chunks; ++i)
1436 {
1437 old_num_chunks = add_one_chunk(new_list, old_num_chunks,
1438 chunk_list+5*i, keep);
1439 }
1440
1441 /* Now remove any spurious 'default' entries. */
1442 num_chunks = 0;
1443 for (i=0, inlist=outlist=new_list; i<old_num_chunks; ++i, inlist += 5)
1444 {
1445 if (inlist[4])
1446 {
1447 if (outlist != inlist)
1448 memcpy(outlist, inlist, 5);
1449 outlist += 5;
1450 ++num_chunks;
1451 }
1452 }
1453
1454 /* This means the application has removed all the specialized handling. */
1455 if (num_chunks == 0)
1456 {
1457 if (png_ptr->chunk_list != new_list)
1458 png_free(png_ptr, new_list);
1459
1460 new_list = NULL;
1461 }
1462 }
1463
1464 else
1465 num_chunks = 0;
1466
1467 png_ptr->num_chunk_list = num_chunks;
1468
1469 if (png_ptr->chunk_list != new_list)
1470 {
1471 if (png_ptr->chunk_list != NULL)
1472 png_free(png_ptr, png_ptr->chunk_list);
1473
1474 png_ptr->chunk_list = new_list;
1475 }
1476 }
1477 #endif
1478
1479 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
1480 void PNGAPI
png_set_read_user_chunk_fn(png_structrp png_ptr,png_voidp user_chunk_ptr,png_user_chunk_ptr read_user_chunk_fn)1481 png_set_read_user_chunk_fn(png_structrp png_ptr, png_voidp user_chunk_ptr,
1482 png_user_chunk_ptr read_user_chunk_fn)
1483 {
1484 png_debug(1, "in png_set_read_user_chunk_fn");
1485
1486 if (png_ptr == NULL)
1487 return;
1488
1489 png_ptr->read_user_chunk_fn = read_user_chunk_fn;
1490 png_ptr->user_chunk_ptr = user_chunk_ptr;
1491 }
1492 #endif
1493
1494 #ifdef PNG_INFO_IMAGE_SUPPORTED
1495 void PNGAPI
png_set_rows(png_const_structrp png_ptr,png_inforp info_ptr,png_bytepp row_pointers)1496 png_set_rows(png_const_structrp png_ptr, png_inforp info_ptr,
1497 png_bytepp row_pointers)
1498 {
1499 png_debug1(1, "in %s storage function", "rows");
1500
1501 if (png_ptr == NULL || info_ptr == NULL)
1502 return;
1503
1504 if (info_ptr->row_pointers != NULL &&
1505 (info_ptr->row_pointers != row_pointers))
1506 png_free_data(png_ptr, info_ptr, PNG_FREE_ROWS, 0);
1507
1508 info_ptr->row_pointers = row_pointers;
1509
1510 if (row_pointers != NULL)
1511 info_ptr->valid |= PNG_INFO_IDAT;
1512 }
1513 #endif
1514
1515 void PNGAPI
png_set_compression_buffer_size(png_structrp png_ptr,png_size_t size)1516 png_set_compression_buffer_size(png_structrp png_ptr, png_size_t size)
1517 {
1518 if (png_ptr == NULL)
1519 return;
1520
1521 if (size == 0 || size > PNG_UINT_31_MAX)
1522 png_error(png_ptr, "invalid compression buffer size");
1523
1524 # ifdef PNG_SEQUENTIAL_READ_SUPPORTED
1525 if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1526 {
1527 png_ptr->IDAT_read_size = (png_uint_32)size; /* checked above */
1528 return;
1529 }
1530 # endif
1531
1532 # ifdef PNG_WRITE_SUPPORTED
1533 if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1534 {
1535 if (png_ptr->zowner != 0)
1536 {
1537 png_warning(png_ptr,
1538 "Compression buffer size cannot be changed because it is in use");
1539
1540 return;
1541 }
1542
1543 #ifndef __COVERITY__
1544 /* Some compilers complain that this is always false. However, it
1545 * can be true when integer overflow happens.
1546 */
1547 if (size > ZLIB_IO_MAX)
1548 {
1549 png_warning(png_ptr,
1550 "Compression buffer size limited to system maximum");
1551 size = ZLIB_IO_MAX; /* must fit */
1552 }
1553 #endif
1554
1555 if (size < 6)
1556 {
1557 /* Deflate will potentially go into an infinite loop on a SYNC_FLUSH
1558 * if this is permitted.
1559 */
1560 png_warning(png_ptr,
1561 "Compression buffer size cannot be reduced below 6");
1562
1563 return;
1564 }
1565
1566 if (png_ptr->zbuffer_size != size)
1567 {
1568 png_free_buffer_list(png_ptr, &png_ptr->zbuffer_list);
1569 png_ptr->zbuffer_size = (uInt)size;
1570 }
1571 }
1572 # endif
1573 }
1574
1575 void PNGAPI
png_set_invalid(png_const_structrp png_ptr,png_inforp info_ptr,int mask)1576 png_set_invalid(png_const_structrp png_ptr, png_inforp info_ptr, int mask)
1577 {
1578 if (png_ptr != NULL && info_ptr != NULL)
1579 info_ptr->valid &= ~mask;
1580 }
1581
1582
1583 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
1584 /* This function was added to libpng 1.2.6 */
1585 void PNGAPI
png_set_user_limits(png_structrp png_ptr,png_uint_32 user_width_max,png_uint_32 user_height_max)1586 png_set_user_limits (png_structrp png_ptr, png_uint_32 user_width_max,
1587 png_uint_32 user_height_max)
1588 {
1589 /* Images with dimensions larger than these limits will be
1590 * rejected by png_set_IHDR(). To accept any PNG datastream
1591 * regardless of dimensions, set both limits to 0x7fffffff.
1592 */
1593 if (png_ptr == NULL)
1594 return;
1595
1596 png_ptr->user_width_max = user_width_max;
1597 png_ptr->user_height_max = user_height_max;
1598 }
1599
1600 /* This function was added to libpng 1.4.0 */
1601 void PNGAPI
png_set_chunk_cache_max(png_structrp png_ptr,png_uint_32 user_chunk_cache_max)1602 png_set_chunk_cache_max (png_structrp png_ptr, png_uint_32 user_chunk_cache_max)
1603 {
1604 if (png_ptr != NULL)
1605 png_ptr->user_chunk_cache_max = user_chunk_cache_max;
1606 }
1607
1608 /* This function was added to libpng 1.4.1 */
1609 void PNGAPI
png_set_chunk_malloc_max(png_structrp png_ptr,png_alloc_size_t user_chunk_malloc_max)1610 png_set_chunk_malloc_max (png_structrp png_ptr,
1611 png_alloc_size_t user_chunk_malloc_max)
1612 {
1613 if (png_ptr != NULL)
1614 png_ptr->user_chunk_malloc_max = user_chunk_malloc_max;
1615 }
1616 #endif /* ?SET_USER_LIMITS */
1617
1618
1619 #ifdef PNG_BENIGN_ERRORS_SUPPORTED
1620 void PNGAPI
png_set_benign_errors(png_structrp png_ptr,int allowed)1621 png_set_benign_errors(png_structrp png_ptr, int allowed)
1622 {
1623 png_debug(1, "in png_set_benign_errors");
1624
1625 /* If allowed is 1, png_benign_error() is treated as a warning.
1626 *
1627 * If allowed is 0, png_benign_error() is treated as an error (which
1628 * is the default behavior if png_set_benign_errors() is not called).
1629 */
1630
1631 if (allowed != 0)
1632 png_ptr->flags |= PNG_FLAG_BENIGN_ERRORS_WARN |
1633 PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN;
1634
1635 else
1636 png_ptr->flags &= ~(PNG_FLAG_BENIGN_ERRORS_WARN |
1637 PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN);
1638 }
1639 #endif /* BENIGN_ERRORS */
1640
1641 #ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED
1642 /* Whether to report invalid palette index; added at libng-1.5.10.
1643 * It is possible for an indexed (color-type==3) PNG file to contain
1644 * pixels with invalid (out-of-range) indexes if the PLTE chunk has
1645 * fewer entries than the image's bit-depth would allow. We recover
1646 * from this gracefully by filling any incomplete palette with zeros
1647 * (opaque black). By default, when this occurs libpng will issue
1648 * a benign error. This API can be used to override that behavior.
1649 */
1650 void PNGAPI
png_set_check_for_invalid_index(png_structrp png_ptr,int allowed)1651 png_set_check_for_invalid_index(png_structrp png_ptr, int allowed)
1652 {
1653 png_debug(1, "in png_set_check_for_invalid_index");
1654
1655 if (allowed > 0)
1656 png_ptr->num_palette_max = 0;
1657
1658 else
1659 png_ptr->num_palette_max = -1;
1660 }
1661 #endif
1662
1663 #if defined(PNG_TEXT_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) || \
1664 defined(PNG_iCCP_SUPPORTED) || defined(PNG_sPLT_SUPPORTED)
1665 /* Check that the tEXt or zTXt keyword is valid per PNG 1.0 specification,
1666 * and if invalid, correct the keyword rather than discarding the entire
1667 * chunk. The PNG 1.0 specification requires keywords 1-79 characters in
1668 * length, forbids leading or trailing whitespace, multiple internal spaces,
1669 * and the non-break space (0x80) from ISO 8859-1. Returns keyword length.
1670 *
1671 * The 'new_key' buffer must be 80 characters in size (for the keyword plus a
1672 * trailing '\0'). If this routine returns 0 then there was no keyword, or a
1673 * valid one could not be generated, and the caller must png_error.
1674 */
1675 png_uint_32 /* PRIVATE */
png_check_keyword(png_structrp png_ptr,png_const_charp key,png_bytep new_key)1676 png_check_keyword(png_structrp png_ptr, png_const_charp key, png_bytep new_key)
1677 {
1678 png_const_charp orig_key = key;
1679 png_uint_32 key_len = 0;
1680 int bad_character = 0;
1681 int space = 1;
1682
1683 png_debug(1, "in png_check_keyword");
1684
1685 if (key == NULL)
1686 {
1687 *new_key = 0;
1688 return 0;
1689 }
1690
1691 while (*key && key_len < 79)
1692 {
1693 png_byte ch = (png_byte)*key++;
1694
1695 if ((ch > 32 && ch <= 126) || (ch >= 161 /*&& ch <= 255*/))
1696 *new_key++ = ch, ++key_len, space = 0;
1697
1698 else if (space == 0)
1699 {
1700 /* A space or an invalid character when one wasn't seen immediately
1701 * before; output just a space.
1702 */
1703 *new_key++ = 32, ++key_len, space = 1;
1704
1705 /* If the character was not a space then it is invalid. */
1706 if (ch != 32)
1707 bad_character = ch;
1708 }
1709
1710 else if (bad_character == 0)
1711 bad_character = ch; /* just skip it, record the first error */
1712 }
1713
1714 if (key_len > 0 && space != 0) /* trailing space */
1715 {
1716 --key_len, --new_key;
1717 if (bad_character == 0)
1718 bad_character = 32;
1719 }
1720
1721 /* Terminate the keyword */
1722 *new_key = 0;
1723
1724 if (key_len == 0)
1725 return 0;
1726
1727 #ifdef PNG_WARNINGS_SUPPORTED
1728 /* Try to only output one warning per keyword: */
1729 if (*key != 0) /* keyword too long */
1730 png_warning(png_ptr, "keyword truncated");
1731
1732 else if (bad_character != 0)
1733 {
1734 PNG_WARNING_PARAMETERS(p)
1735
1736 png_warning_parameter(p, 1, orig_key);
1737 png_warning_parameter_signed(p, 2, PNG_NUMBER_FORMAT_02x, bad_character);
1738
1739 png_formatted_warning(png_ptr, p, "keyword \"@1\": bad character '0x@2'");
1740 }
1741 #endif /* WARNINGS */
1742
1743 return key_len;
1744 }
1745 #endif /* TEXT || pCAL || iCCP || sPLT */
1746 #endif /* READ || WRITE */
1747