1
2 /* pngset.c - storage of image information into info struct
3 *
4 * Last changed in libpng 1.6.26 [October 20, 2016]
5 * Copyright (c) 1998-2016 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 *
13 * The functions here are used during reads to store data from the file
14 * into the info struct, and during writes to store application data
15 * into the info struct for writing into the file. This abstracts the
16 * info struct and allows us to change the structure in the future.
17 */
18
19 #include "pngpriv.h"
20
21 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
22
23 #ifdef PNG_bKGD_SUPPORTED
24 void PNGAPI
png_set_bKGD(png_const_structrp png_ptr,png_inforp info_ptr,png_const_color_16p background)25 png_set_bKGD(png_const_structrp png_ptr, png_inforp info_ptr,
26 png_const_color_16p background)
27 {
28 png_debug1(1, "in %s storage function", "bKGD");
29
30 if (png_ptr == NULL || info_ptr == NULL || background == NULL)
31 return;
32
33 info_ptr->background = *background;
34 info_ptr->valid |= PNG_INFO_bKGD;
35 }
36 #endif
37
38 #ifdef PNG_cHRM_SUPPORTED
39 void PNGFAPI
png_set_cHRM_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point white_x,png_fixed_point white_y,png_fixed_point red_x,png_fixed_point red_y,png_fixed_point green_x,png_fixed_point green_y,png_fixed_point blue_x,png_fixed_point blue_y)40 png_set_cHRM_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
41 png_fixed_point white_x, png_fixed_point white_y, png_fixed_point red_x,
42 png_fixed_point red_y, png_fixed_point green_x, png_fixed_point green_y,
43 png_fixed_point blue_x, png_fixed_point blue_y)
44 {
45 png_xy xy;
46
47 png_debug1(1, "in %s storage function", "cHRM fixed");
48
49 if (png_ptr == NULL || info_ptr == NULL)
50 return;
51
52 xy.redx = red_x;
53 xy.redy = red_y;
54 xy.greenx = green_x;
55 xy.greeny = green_y;
56 xy.bluex = blue_x;
57 xy.bluey = blue_y;
58 xy.whitex = white_x;
59 xy.whitey = white_y;
60
61 if (png_colorspace_set_chromaticities(png_ptr, &info_ptr->colorspace, &xy,
62 2/* override with app values*/) != 0)
63 info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
64
65 png_colorspace_sync_info(png_ptr, info_ptr);
66 }
67
68 void PNGFAPI
png_set_cHRM_XYZ_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point int_red_X,png_fixed_point int_red_Y,png_fixed_point int_red_Z,png_fixed_point int_green_X,png_fixed_point int_green_Y,png_fixed_point int_green_Z,png_fixed_point int_blue_X,png_fixed_point int_blue_Y,png_fixed_point int_blue_Z)69 png_set_cHRM_XYZ_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
70 png_fixed_point int_red_X, png_fixed_point int_red_Y,
71 png_fixed_point int_red_Z, png_fixed_point int_green_X,
72 png_fixed_point int_green_Y, png_fixed_point int_green_Z,
73 png_fixed_point int_blue_X, png_fixed_point int_blue_Y,
74 png_fixed_point int_blue_Z)
75 {
76 png_XYZ XYZ;
77
78 png_debug1(1, "in %s storage function", "cHRM XYZ fixed");
79
80 if (png_ptr == NULL || info_ptr == NULL)
81 return;
82
83 XYZ.red_X = int_red_X;
84 XYZ.red_Y = int_red_Y;
85 XYZ.red_Z = int_red_Z;
86 XYZ.green_X = int_green_X;
87 XYZ.green_Y = int_green_Y;
88 XYZ.green_Z = int_green_Z;
89 XYZ.blue_X = int_blue_X;
90 XYZ.blue_Y = int_blue_Y;
91 XYZ.blue_Z = int_blue_Z;
92
93 if (png_colorspace_set_endpoints(png_ptr, &info_ptr->colorspace,
94 &XYZ, 2) != 0)
95 info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
96
97 png_colorspace_sync_info(png_ptr, info_ptr);
98 }
99
100 # ifdef PNG_FLOATING_POINT_SUPPORTED
101 void PNGAPI
png_set_cHRM(png_const_structrp png_ptr,png_inforp info_ptr,double white_x,double white_y,double red_x,double red_y,double green_x,double green_y,double blue_x,double blue_y)102 png_set_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
103 double white_x, double white_y, double red_x, double red_y,
104 double green_x, double green_y, double blue_x, double blue_y)
105 {
106 png_set_cHRM_fixed(png_ptr, info_ptr,
107 png_fixed(png_ptr, white_x, "cHRM White X"),
108 png_fixed(png_ptr, white_y, "cHRM White Y"),
109 png_fixed(png_ptr, red_x, "cHRM Red X"),
110 png_fixed(png_ptr, red_y, "cHRM Red Y"),
111 png_fixed(png_ptr, green_x, "cHRM Green X"),
112 png_fixed(png_ptr, green_y, "cHRM Green Y"),
113 png_fixed(png_ptr, blue_x, "cHRM Blue X"),
114 png_fixed(png_ptr, blue_y, "cHRM Blue Y"));
115 }
116
117 void PNGAPI
png_set_cHRM_XYZ(png_const_structrp png_ptr,png_inforp info_ptr,double red_X,double red_Y,double red_Z,double green_X,double green_Y,double green_Z,double blue_X,double blue_Y,double blue_Z)118 png_set_cHRM_XYZ(png_const_structrp png_ptr, png_inforp info_ptr, double red_X,
119 double red_Y, double red_Z, double green_X, double green_Y, double green_Z,
120 double blue_X, double blue_Y, double blue_Z)
121 {
122 png_set_cHRM_XYZ_fixed(png_ptr, info_ptr,
123 png_fixed(png_ptr, red_X, "cHRM Red X"),
124 png_fixed(png_ptr, red_Y, "cHRM Red Y"),
125 png_fixed(png_ptr, red_Z, "cHRM Red Z"),
126 png_fixed(png_ptr, green_X, "cHRM Green X"),
127 png_fixed(png_ptr, green_Y, "cHRM Green Y"),
128 png_fixed(png_ptr, green_Z, "cHRM Green Z"),
129 png_fixed(png_ptr, blue_X, "cHRM Blue X"),
130 png_fixed(png_ptr, blue_Y, "cHRM Blue Y"),
131 png_fixed(png_ptr, blue_Z, "cHRM Blue Z"));
132 }
133 # endif /* FLOATING_POINT */
134
135 #endif /* cHRM */
136
137 #ifdef PNG_gAMA_SUPPORTED
138 void PNGFAPI
png_set_gAMA_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point file_gamma)139 png_set_gAMA_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
140 png_fixed_point file_gamma)
141 {
142 png_debug1(1, "in %s storage function", "gAMA");
143
144 if (png_ptr == NULL || info_ptr == NULL)
145 return;
146
147 png_colorspace_set_gamma(png_ptr, &info_ptr->colorspace, file_gamma);
148 png_colorspace_sync_info(png_ptr, info_ptr);
149 }
150
151 # ifdef PNG_FLOATING_POINT_SUPPORTED
152 void PNGAPI
png_set_gAMA(png_const_structrp png_ptr,png_inforp info_ptr,double file_gamma)153 png_set_gAMA(png_const_structrp png_ptr, png_inforp info_ptr, double file_gamma)
154 {
155 png_set_gAMA_fixed(png_ptr, info_ptr, png_fixed(png_ptr, file_gamma,
156 "png_set_gAMA"));
157 }
158 # endif
159 #endif
160
161 #ifdef PNG_hIST_SUPPORTED
162 void PNGAPI
png_set_hIST(png_const_structrp png_ptr,png_inforp info_ptr,png_const_uint_16p hist)163 png_set_hIST(png_const_structrp png_ptr, png_inforp info_ptr,
164 png_const_uint_16p hist)
165 {
166 int i;
167
168 png_debug1(1, "in %s storage function", "hIST");
169
170 if (png_ptr == NULL || info_ptr == NULL)
171 return;
172
173 if (info_ptr->num_palette == 0 || info_ptr->num_palette
174 > PNG_MAX_PALETTE_LENGTH)
175 {
176 png_warning(png_ptr,
177 "Invalid palette size, hIST allocation skipped");
178
179 return;
180 }
181
182 png_free_data(png_ptr, info_ptr, PNG_FREE_HIST, 0);
183
184 /* Changed from info->num_palette to PNG_MAX_PALETTE_LENGTH in
185 * version 1.2.1
186 */
187 info_ptr->hist = png_voidcast(png_uint_16p, png_malloc_warn(png_ptr,
188 PNG_MAX_PALETTE_LENGTH * (sizeof (png_uint_16))));
189
190 if (info_ptr->hist == NULL)
191 {
192 png_warning(png_ptr, "Insufficient memory for hIST chunk data");
193
194 return;
195 }
196
197 info_ptr->free_me |= PNG_FREE_HIST;
198
199 for (i = 0; i < info_ptr->num_palette; i++)
200 info_ptr->hist[i] = hist[i];
201
202 info_ptr->valid |= PNG_INFO_hIST;
203 }
204 #endif
205
206 void PNGAPI
png_set_IHDR(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 width,png_uint_32 height,int bit_depth,int color_type,int interlace_type,int compression_type,int filter_type)207 png_set_IHDR(png_const_structrp png_ptr, png_inforp info_ptr,
208 png_uint_32 width, png_uint_32 height, int bit_depth,
209 int color_type, int interlace_type, int compression_type,
210 int filter_type)
211 {
212 png_debug1(1, "in %s storage function", "IHDR");
213
214 if (png_ptr == NULL || info_ptr == NULL)
215 return;
216
217 info_ptr->width = width;
218 info_ptr->height = height;
219 info_ptr->bit_depth = (png_byte)bit_depth;
220 info_ptr->color_type = (png_byte)color_type;
221 info_ptr->compression_type = (png_byte)compression_type;
222 info_ptr->filter_type = (png_byte)filter_type;
223 info_ptr->interlace_type = (png_byte)interlace_type;
224
225 png_check_IHDR (png_ptr, info_ptr->width, info_ptr->height,
226 info_ptr->bit_depth, info_ptr->color_type, info_ptr->interlace_type,
227 info_ptr->compression_type, info_ptr->filter_type);
228
229 if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
230 info_ptr->channels = 1;
231
232 else if ((info_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
233 info_ptr->channels = 3;
234
235 else
236 info_ptr->channels = 1;
237
238 if ((info_ptr->color_type & PNG_COLOR_MASK_ALPHA) != 0)
239 info_ptr->channels++;
240
241 info_ptr->pixel_depth = (png_byte)(info_ptr->channels * info_ptr->bit_depth);
242
243 info_ptr->rowbytes = PNG_ROWBYTES(info_ptr->pixel_depth, width);
244 }
245
246 #ifdef PNG_oFFs_SUPPORTED
247 void PNGAPI
png_set_oFFs(png_const_structrp png_ptr,png_inforp info_ptr,png_int_32 offset_x,png_int_32 offset_y,int unit_type)248 png_set_oFFs(png_const_structrp png_ptr, png_inforp info_ptr,
249 png_int_32 offset_x, png_int_32 offset_y, int unit_type)
250 {
251 png_debug1(1, "in %s storage function", "oFFs");
252
253 if (png_ptr == NULL || info_ptr == NULL)
254 return;
255
256 info_ptr->x_offset = offset_x;
257 info_ptr->y_offset = offset_y;
258 info_ptr->offset_unit_type = (png_byte)unit_type;
259 info_ptr->valid |= PNG_INFO_oFFs;
260 }
261 #endif
262
263 #ifdef PNG_pCAL_SUPPORTED
264 void PNGAPI
png_set_pCAL(png_const_structrp png_ptr,png_inforp info_ptr,png_const_charp purpose,png_int_32 X0,png_int_32 X1,int type,int nparams,png_const_charp units,png_charpp params)265 png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr,
266 png_const_charp purpose, png_int_32 X0, png_int_32 X1, int type,
267 int nparams, png_const_charp units, png_charpp params)
268 {
269 png_size_t length;
270 int i;
271
272 png_debug1(1, "in %s storage function", "pCAL");
273
274 if (png_ptr == NULL || info_ptr == NULL || purpose == NULL || units == NULL
275 || (nparams > 0 && params == NULL))
276 return;
277
278 length = strlen(purpose) + 1;
279 png_debug1(3, "allocating purpose for info (%lu bytes)",
280 (unsigned long)length);
281
282 /* TODO: validate format of calibration name and unit name */
283
284 /* Check that the type matches the specification. */
285 if (type < 0 || type > 3)
286 {
287 png_chunk_report(png_ptr, "Invalid pCAL equation type",
288 PNG_CHUNK_WRITE_ERROR);
289 return;
290 }
291
292 if (nparams < 0 || nparams > 255)
293 {
294 png_chunk_report(png_ptr, "Invalid pCAL parameter count",
295 PNG_CHUNK_WRITE_ERROR);
296 return;
297 }
298
299 /* Validate params[nparams] */
300 for (i=0; i<nparams; ++i)
301 {
302 if (params[i] == NULL ||
303 !png_check_fp_string(params[i], strlen(params[i])))
304 {
305 png_chunk_report(png_ptr, "Invalid format for pCAL parameter",
306 PNG_CHUNK_WRITE_ERROR);
307 return;
308 }
309 }
310
311 info_ptr->pcal_purpose = png_voidcast(png_charp,
312 png_malloc_warn(png_ptr, length));
313
314 if (info_ptr->pcal_purpose == NULL)
315 {
316 png_chunk_report(png_ptr, "Insufficient memory for pCAL purpose",
317 PNG_CHUNK_WRITE_ERROR);
318 return;
319 }
320
321 memcpy(info_ptr->pcal_purpose, purpose, length);
322
323 png_debug(3, "storing X0, X1, type, and nparams in info");
324 info_ptr->pcal_X0 = X0;
325 info_ptr->pcal_X1 = X1;
326 info_ptr->pcal_type = (png_byte)type;
327 info_ptr->pcal_nparams = (png_byte)nparams;
328
329 length = strlen(units) + 1;
330 png_debug1(3, "allocating units for info (%lu bytes)",
331 (unsigned long)length);
332
333 info_ptr->pcal_units = png_voidcast(png_charp,
334 png_malloc_warn(png_ptr, length));
335
336 if (info_ptr->pcal_units == NULL)
337 {
338 png_warning(png_ptr, "Insufficient memory for pCAL units");
339
340 return;
341 }
342
343 memcpy(info_ptr->pcal_units, units, length);
344
345 info_ptr->pcal_params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
346 (png_size_t)(((unsigned int)nparams + 1) * (sizeof (png_charp)))));
347
348 if (info_ptr->pcal_params == NULL)
349 {
350 png_warning(png_ptr, "Insufficient memory for pCAL params");
351
352 return;
353 }
354
355 memset(info_ptr->pcal_params, 0, ((unsigned int)nparams + 1) *
356 (sizeof (png_charp)));
357
358 for (i = 0; i < nparams; i++)
359 {
360 length = strlen(params[i]) + 1;
361 png_debug2(3, "allocating parameter %d for info (%lu bytes)", i,
362 (unsigned long)length);
363
364 info_ptr->pcal_params[i] = (png_charp)png_malloc_warn(png_ptr, length);
365
366 if (info_ptr->pcal_params[i] == NULL)
367 {
368 png_warning(png_ptr, "Insufficient memory for pCAL parameter");
369
370 return;
371 }
372
373 memcpy(info_ptr->pcal_params[i], params[i], length);
374 }
375
376 info_ptr->valid |= PNG_INFO_pCAL;
377 info_ptr->free_me |= PNG_FREE_PCAL;
378 }
379 #endif
380
381 #ifdef PNG_sCAL_SUPPORTED
382 void PNGAPI
png_set_sCAL_s(png_const_structrp png_ptr,png_inforp info_ptr,int unit,png_const_charp swidth,png_const_charp sheight)383 png_set_sCAL_s(png_const_structrp png_ptr, png_inforp info_ptr,
384 int unit, png_const_charp swidth, png_const_charp sheight)
385 {
386 png_size_t lengthw = 0, lengthh = 0;
387
388 png_debug1(1, "in %s storage function", "sCAL");
389
390 if (png_ptr == NULL || info_ptr == NULL)
391 return;
392
393 /* Double check the unit (should never get here with an invalid
394 * unit unless this is an API call.)
395 */
396 if (unit != 1 && unit != 2)
397 png_error(png_ptr, "Invalid sCAL unit");
398
399 if (swidth == NULL || (lengthw = strlen(swidth)) == 0 ||
400 swidth[0] == 45 /* '-' */ || !png_check_fp_string(swidth, lengthw))
401 png_error(png_ptr, "Invalid sCAL width");
402
403 if (sheight == NULL || (lengthh = strlen(sheight)) == 0 ||
404 sheight[0] == 45 /* '-' */ || !png_check_fp_string(sheight, lengthh))
405 png_error(png_ptr, "Invalid sCAL height");
406
407 info_ptr->scal_unit = (png_byte)unit;
408
409 ++lengthw;
410
411 png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthw);
412
413 info_ptr->scal_s_width = png_voidcast(png_charp,
414 png_malloc_warn(png_ptr, lengthw));
415
416 if (info_ptr->scal_s_width == NULL)
417 {
418 png_warning(png_ptr, "Memory allocation failed while processing sCAL");
419
420 return;
421 }
422
423 memcpy(info_ptr->scal_s_width, swidth, lengthw);
424
425 ++lengthh;
426
427 png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthh);
428
429 info_ptr->scal_s_height = png_voidcast(png_charp,
430 png_malloc_warn(png_ptr, lengthh));
431
432 if (info_ptr->scal_s_height == NULL)
433 {
434 png_free (png_ptr, info_ptr->scal_s_width);
435 info_ptr->scal_s_width = NULL;
436
437 png_warning(png_ptr, "Memory allocation failed while processing sCAL");
438
439 return;
440 }
441
442 memcpy(info_ptr->scal_s_height, sheight, lengthh);
443
444 info_ptr->valid |= PNG_INFO_sCAL;
445 info_ptr->free_me |= PNG_FREE_SCAL;
446 }
447
448 # ifdef PNG_FLOATING_POINT_SUPPORTED
449 void PNGAPI
png_set_sCAL(png_const_structrp png_ptr,png_inforp info_ptr,int unit,double width,double height)450 png_set_sCAL(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
451 double width, double height)
452 {
453 png_debug1(1, "in %s storage function", "sCAL");
454
455 /* Check the arguments. */
456 if (width <= 0)
457 png_warning(png_ptr, "Invalid sCAL width ignored");
458
459 else if (height <= 0)
460 png_warning(png_ptr, "Invalid sCAL height ignored");
461
462 else
463 {
464 /* Convert 'width' and 'height' to ASCII. */
465 char swidth[PNG_sCAL_MAX_DIGITS+1];
466 char sheight[PNG_sCAL_MAX_DIGITS+1];
467
468 png_ascii_from_fp(png_ptr, swidth, (sizeof swidth), width,
469 PNG_sCAL_PRECISION);
470 png_ascii_from_fp(png_ptr, sheight, (sizeof sheight), height,
471 PNG_sCAL_PRECISION);
472
473 png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
474 }
475 }
476 # endif
477
478 # ifdef PNG_FIXED_POINT_SUPPORTED
479 void PNGAPI
png_set_sCAL_fixed(png_const_structrp png_ptr,png_inforp info_ptr,int unit,png_fixed_point width,png_fixed_point height)480 png_set_sCAL_fixed(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
481 png_fixed_point width, png_fixed_point height)
482 {
483 png_debug1(1, "in %s storage function", "sCAL");
484
485 /* Check the arguments. */
486 if (width <= 0)
487 png_warning(png_ptr, "Invalid sCAL width ignored");
488
489 else if (height <= 0)
490 png_warning(png_ptr, "Invalid sCAL height ignored");
491
492 else
493 {
494 /* Convert 'width' and 'height' to ASCII. */
495 char swidth[PNG_sCAL_MAX_DIGITS+1];
496 char sheight[PNG_sCAL_MAX_DIGITS+1];
497
498 png_ascii_from_fixed(png_ptr, swidth, (sizeof swidth), width);
499 png_ascii_from_fixed(png_ptr, sheight, (sizeof sheight), height);
500
501 png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
502 }
503 }
504 # endif
505 #endif
506
507 #ifdef PNG_pHYs_SUPPORTED
508 void PNGAPI
png_set_pHYs(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 res_x,png_uint_32 res_y,int unit_type)509 png_set_pHYs(png_const_structrp png_ptr, png_inforp info_ptr,
510 png_uint_32 res_x, png_uint_32 res_y, int unit_type)
511 {
512 png_debug1(1, "in %s storage function", "pHYs");
513
514 if (png_ptr == NULL || info_ptr == NULL)
515 return;
516
517 info_ptr->x_pixels_per_unit = res_x;
518 info_ptr->y_pixels_per_unit = res_y;
519 info_ptr->phys_unit_type = (png_byte)unit_type;
520 info_ptr->valid |= PNG_INFO_pHYs;
521 }
522 #endif
523
524 void PNGAPI
png_set_PLTE(png_structrp png_ptr,png_inforp info_ptr,png_const_colorp palette,int num_palette)525 png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
526 png_const_colorp palette, int num_palette)
527 {
528
529 png_uint_32 max_palette_length;
530
531 png_debug1(1, "in %s storage function", "PLTE");
532
533 if (png_ptr == NULL || info_ptr == NULL)
534 return;
535
536 max_palette_length = (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
537 (1 << info_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
538
539 if (num_palette < 0 || num_palette > (int) max_palette_length)
540 {
541 if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
542 png_error(png_ptr, "Invalid palette length");
543
544 else
545 {
546 png_warning(png_ptr, "Invalid palette length");
547
548 return;
549 }
550 }
551
552 if ((num_palette > 0 && palette == NULL) ||
553 (num_palette == 0
554 # ifdef PNG_MNG_FEATURES_SUPPORTED
555 && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0
556 # endif
557 ))
558 {
559 png_error(png_ptr, "Invalid palette");
560 }
561
562 /* It may not actually be necessary to set png_ptr->palette here;
563 * we do it for backward compatibility with the way the png_handle_tRNS
564 * function used to do the allocation.
565 *
566 * 1.6.0: the above statement appears to be incorrect; something has to set
567 * the palette inside png_struct on read.
568 */
569 png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
570
571 /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
572 * of num_palette entries, in case of an invalid PNG file or incorrect
573 * call to png_set_PLTE() with too-large sample values.
574 */
575 png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
576 PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
577
578 if (num_palette > 0)
579 memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
580 (sizeof (png_color)));
581 info_ptr->palette = png_ptr->palette;
582 info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
583
584 info_ptr->free_me |= PNG_FREE_PLTE;
585
586 info_ptr->valid |= PNG_INFO_PLTE;
587 }
588
589 #ifdef PNG_sBIT_SUPPORTED
590 void PNGAPI
png_set_sBIT(png_const_structrp png_ptr,png_inforp info_ptr,png_const_color_8p sig_bit)591 png_set_sBIT(png_const_structrp png_ptr, png_inforp info_ptr,
592 png_const_color_8p sig_bit)
593 {
594 png_debug1(1, "in %s storage function", "sBIT");
595
596 if (png_ptr == NULL || info_ptr == NULL || sig_bit == NULL)
597 return;
598
599 info_ptr->sig_bit = *sig_bit;
600 info_ptr->valid |= PNG_INFO_sBIT;
601 }
602 #endif
603
604 #ifdef PNG_sRGB_SUPPORTED
605 void PNGAPI
png_set_sRGB(png_const_structrp png_ptr,png_inforp info_ptr,int srgb_intent)606 png_set_sRGB(png_const_structrp png_ptr, png_inforp info_ptr, int srgb_intent)
607 {
608 png_debug1(1, "in %s storage function", "sRGB");
609
610 if (png_ptr == NULL || info_ptr == NULL)
611 return;
612
613 (void)png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace, srgb_intent);
614 png_colorspace_sync_info(png_ptr, info_ptr);
615 }
616
617 void PNGAPI
png_set_sRGB_gAMA_and_cHRM(png_const_structrp png_ptr,png_inforp info_ptr,int srgb_intent)618 png_set_sRGB_gAMA_and_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
619 int srgb_intent)
620 {
621 png_debug1(1, "in %s storage function", "sRGB_gAMA_and_cHRM");
622
623 if (png_ptr == NULL || info_ptr == NULL)
624 return;
625
626 if (png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace,
627 srgb_intent) != 0)
628 {
629 /* This causes the gAMA and cHRM to be written too */
630 info_ptr->colorspace.flags |=
631 PNG_COLORSPACE_FROM_gAMA|PNG_COLORSPACE_FROM_cHRM;
632 }
633
634 png_colorspace_sync_info(png_ptr, info_ptr);
635 }
636 #endif /* sRGB */
637
638
639 #ifdef PNG_iCCP_SUPPORTED
640 void PNGAPI
png_set_iCCP(png_const_structrp png_ptr,png_inforp info_ptr,png_const_charp name,int compression_type,png_const_bytep profile,png_uint_32 proflen)641 png_set_iCCP(png_const_structrp png_ptr, png_inforp info_ptr,
642 png_const_charp name, int compression_type,
643 png_const_bytep profile, png_uint_32 proflen)
644 {
645 png_charp new_iccp_name;
646 png_bytep new_iccp_profile;
647 png_size_t length;
648
649 png_debug1(1, "in %s storage function", "iCCP");
650
651 if (png_ptr == NULL || info_ptr == NULL || name == NULL || profile == NULL)
652 return;
653
654 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
655 png_app_error(png_ptr, "Invalid iCCP compression method");
656
657 /* Set the colorspace first because this validates the profile; do not
658 * override previously set app cHRM or gAMA here (because likely as not the
659 * application knows better than libpng what the correct values are.) Pass
660 * the info_ptr color_type field to png_colorspace_set_ICC because in the
661 * write case it has not yet been stored in png_ptr.
662 */
663 {
664 int result = png_colorspace_set_ICC(png_ptr, &info_ptr->colorspace, name,
665 proflen, profile, info_ptr->color_type);
666
667 png_colorspace_sync_info(png_ptr, info_ptr);
668
669 /* Don't do any of the copying if the profile was bad, or inconsistent. */
670 if (result == 0)
671 return;
672
673 /* But do write the gAMA and cHRM chunks from the profile. */
674 info_ptr->colorspace.flags |=
675 PNG_COLORSPACE_FROM_gAMA|PNG_COLORSPACE_FROM_cHRM;
676 }
677
678 length = strlen(name)+1;
679 new_iccp_name = png_voidcast(png_charp, png_malloc_warn(png_ptr, length));
680
681 if (new_iccp_name == NULL)
682 {
683 png_benign_error(png_ptr, "Insufficient memory to process iCCP chunk");
684
685 return;
686 }
687
688 memcpy(new_iccp_name, name, length);
689 new_iccp_profile = png_voidcast(png_bytep,
690 png_malloc_warn(png_ptr, proflen));
691
692 if (new_iccp_profile == NULL)
693 {
694 png_free(png_ptr, new_iccp_name);
695 png_benign_error(png_ptr,
696 "Insufficient memory to process iCCP profile");
697
698 return;
699 }
700
701 memcpy(new_iccp_profile, profile, proflen);
702
703 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, 0);
704
705 info_ptr->iccp_proflen = proflen;
706 info_ptr->iccp_name = new_iccp_name;
707 info_ptr->iccp_profile = new_iccp_profile;
708 info_ptr->free_me |= PNG_FREE_ICCP;
709 info_ptr->valid |= PNG_INFO_iCCP;
710 }
711 #endif
712
713 #ifdef PNG_TEXT_SUPPORTED
714 void PNGAPI
png_set_text(png_const_structrp png_ptr,png_inforp info_ptr,png_const_textp text_ptr,int num_text)715 png_set_text(png_const_structrp png_ptr, png_inforp info_ptr,
716 png_const_textp text_ptr, int num_text)
717 {
718 int ret;
719 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, num_text);
720
721 if (ret != 0)
722 png_error(png_ptr, "Insufficient memory to store text");
723 }
724
725 int /* PRIVATE */
png_set_text_2(png_const_structrp png_ptr,png_inforp info_ptr,png_const_textp text_ptr,int num_text)726 png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
727 png_const_textp text_ptr, int num_text)
728 {
729 int i;
730
731 png_debug1(1, "in %lx storage function", png_ptr == NULL ? 0xabadca11U :
732 (unsigned long)png_ptr->chunk_name);
733
734 if (png_ptr == NULL || info_ptr == NULL || num_text <= 0 || text_ptr == NULL)
735 return(0);
736
737 /* Make sure we have enough space in the "text" array in info_struct
738 * to hold all of the incoming text_ptr objects. This compare can't overflow
739 * because max_text >= num_text (anyway, subtract of two positive integers
740 * can't overflow in any case.)
741 */
742 if (num_text > info_ptr->max_text - info_ptr->num_text)
743 {
744 int old_num_text = info_ptr->num_text;
745 int max_text;
746 png_textp new_text = NULL;
747
748 /* Calculate an appropriate max_text, checking for overflow. */
749 max_text = old_num_text;
750 if (num_text <= INT_MAX - max_text)
751 {
752 max_text += num_text;
753
754 /* Round up to a multiple of 8 */
755 if (max_text < INT_MAX-8)
756 max_text = (max_text + 8) & ~0x7;
757
758 else
759 max_text = INT_MAX;
760
761 /* Now allocate a new array and copy the old members in; this does all
762 * the overflow checks.
763 */
764 new_text = png_voidcast(png_textp,png_realloc_array(png_ptr,
765 info_ptr->text, old_num_text, max_text-old_num_text,
766 sizeof *new_text));
767 }
768
769 if (new_text == NULL)
770 {
771 png_chunk_report(png_ptr, "too many text chunks",
772 PNG_CHUNK_WRITE_ERROR);
773
774 return 1;
775 }
776
777 png_free(png_ptr, info_ptr->text);
778
779 info_ptr->text = new_text;
780 info_ptr->free_me |= PNG_FREE_TEXT;
781 info_ptr->max_text = max_text;
782 /* num_text is adjusted below as the entries are copied in */
783
784 png_debug1(3, "allocated %d entries for info_ptr->text", max_text);
785 }
786
787 for (i = 0; i < num_text; i++)
788 {
789 size_t text_length, key_len;
790 size_t lang_len, lang_key_len;
791 png_textp textp = &(info_ptr->text[info_ptr->num_text]);
792
793 if (text_ptr[i].key == NULL)
794 continue;
795
796 if (text_ptr[i].compression < PNG_TEXT_COMPRESSION_NONE ||
797 text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST)
798 {
799 png_chunk_report(png_ptr, "text compression mode is out of range",
800 PNG_CHUNK_WRITE_ERROR);
801 continue;
802 }
803
804 key_len = strlen(text_ptr[i].key);
805
806 if (text_ptr[i].compression <= 0)
807 {
808 lang_len = 0;
809 lang_key_len = 0;
810 }
811
812 else
813 # ifdef PNG_iTXt_SUPPORTED
814 {
815 /* Set iTXt data */
816
817 if (text_ptr[i].lang != NULL)
818 lang_len = strlen(text_ptr[i].lang);
819
820 else
821 lang_len = 0;
822
823 if (text_ptr[i].lang_key != NULL)
824 lang_key_len = strlen(text_ptr[i].lang_key);
825
826 else
827 lang_key_len = 0;
828 }
829 # else /* iTXt */
830 {
831 png_chunk_report(png_ptr, "iTXt chunk not supported",
832 PNG_CHUNK_WRITE_ERROR);
833 continue;
834 }
835 # endif
836
837 if (text_ptr[i].text == NULL || text_ptr[i].text[0] == '\0')
838 {
839 text_length = 0;
840 # ifdef PNG_iTXt_SUPPORTED
841 if (text_ptr[i].compression > 0)
842 textp->compression = PNG_ITXT_COMPRESSION_NONE;
843
844 else
845 # endif
846 textp->compression = PNG_TEXT_COMPRESSION_NONE;
847 }
848
849 else
850 {
851 text_length = strlen(text_ptr[i].text);
852 textp->compression = text_ptr[i].compression;
853 }
854
855 textp->key = png_voidcast(png_charp,png_malloc_base(png_ptr,
856 key_len + text_length + lang_len + lang_key_len + 4));
857
858 if (textp->key == NULL)
859 {
860 png_chunk_report(png_ptr, "text chunk: out of memory",
861 PNG_CHUNK_WRITE_ERROR);
862
863 return 1;
864 }
865
866 png_debug2(2, "Allocated %lu bytes at %p in png_set_text",
867 (unsigned long)(png_uint_32)
868 (key_len + lang_len + lang_key_len + text_length + 4),
869 textp->key);
870
871 memcpy(textp->key, text_ptr[i].key, key_len);
872 *(textp->key + key_len) = '\0';
873
874 if (text_ptr[i].compression > 0)
875 {
876 textp->lang = textp->key + key_len + 1;
877 memcpy(textp->lang, text_ptr[i].lang, lang_len);
878 *(textp->lang + lang_len) = '\0';
879 textp->lang_key = textp->lang + lang_len + 1;
880 memcpy(textp->lang_key, text_ptr[i].lang_key, lang_key_len);
881 *(textp->lang_key + lang_key_len) = '\0';
882 textp->text = textp->lang_key + lang_key_len + 1;
883 }
884
885 else
886 {
887 textp->lang=NULL;
888 textp->lang_key=NULL;
889 textp->text = textp->key + key_len + 1;
890 }
891
892 if (text_length != 0)
893 memcpy(textp->text, text_ptr[i].text, text_length);
894
895 *(textp->text + text_length) = '\0';
896
897 # ifdef PNG_iTXt_SUPPORTED
898 if (textp->compression > 0)
899 {
900 textp->text_length = 0;
901 textp->itxt_length = text_length;
902 }
903
904 else
905 # endif
906 {
907 textp->text_length = text_length;
908 textp->itxt_length = 0;
909 }
910
911 info_ptr->num_text++;
912 png_debug1(3, "transferred text chunk %d", info_ptr->num_text);
913 }
914
915 return(0);
916 }
917 #endif
918
919 #ifdef PNG_tIME_SUPPORTED
920 void PNGAPI
png_set_tIME(png_const_structrp png_ptr,png_inforp info_ptr,png_const_timep mod_time)921 png_set_tIME(png_const_structrp png_ptr, png_inforp info_ptr,
922 png_const_timep mod_time)
923 {
924 png_debug1(1, "in %s storage function", "tIME");
925
926 if (png_ptr == NULL || info_ptr == NULL || mod_time == NULL ||
927 (png_ptr->mode & PNG_WROTE_tIME) != 0)
928 return;
929
930 if (mod_time->month == 0 || mod_time->month > 12 ||
931 mod_time->day == 0 || mod_time->day > 31 ||
932 mod_time->hour > 23 || mod_time->minute > 59 ||
933 mod_time->second > 60)
934 {
935 png_warning(png_ptr, "Ignoring invalid time value");
936
937 return;
938 }
939
940 info_ptr->mod_time = *mod_time;
941 info_ptr->valid |= PNG_INFO_tIME;
942 }
943 #endif
944
945 #ifdef PNG_tRNS_SUPPORTED
946 void PNGAPI
png_set_tRNS(png_structrp png_ptr,png_inforp info_ptr,png_const_bytep trans_alpha,int num_trans,png_const_color_16p trans_color)947 png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr,
948 png_const_bytep trans_alpha, int num_trans, png_const_color_16p trans_color)
949 {
950 png_debug1(1, "in %s storage function", "tRNS");
951
952 if (png_ptr == NULL || info_ptr == NULL)
953
954 return;
955
956 if (trans_alpha != NULL)
957 {
958 /* It may not actually be necessary to set png_ptr->trans_alpha here;
959 * we do it for backward compatibility with the way the png_handle_tRNS
960 * function used to do the allocation.
961 *
962 * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
963 * relies on png_set_tRNS storing the information in png_struct
964 * (otherwise it won't be there for the code in pngrtran.c).
965 */
966
967 png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
968
969 if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
970 {
971 /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
972 info_ptr->trans_alpha = png_voidcast(png_bytep,
973 png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
974 memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
975 }
976 png_ptr->trans_alpha = info_ptr->trans_alpha;
977 }
978
979 if (trans_color != NULL)
980 {
981 #ifdef PNG_WARNINGS_SUPPORTED
982 if (info_ptr->bit_depth < 16)
983 {
984 int sample_max = (1 << info_ptr->bit_depth) - 1;
985
986 if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
987 trans_color->gray > sample_max) ||
988 (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
989 (trans_color->red > sample_max ||
990 trans_color->green > sample_max ||
991 trans_color->blue > sample_max)))
992 png_warning(png_ptr,
993 "tRNS chunk has out-of-range samples for bit_depth");
994 }
995 #endif
996
997 info_ptr->trans_color = *trans_color;
998
999 if (num_trans == 0)
1000 num_trans = 1;
1001 }
1002
1003 info_ptr->num_trans = (png_uint_16)num_trans;
1004
1005 if (num_trans != 0)
1006 {
1007 info_ptr->valid |= PNG_INFO_tRNS;
1008 info_ptr->free_me |= PNG_FREE_TRNS;
1009 }
1010 }
1011 #endif
1012
1013 #ifdef PNG_sPLT_SUPPORTED
1014 void PNGAPI
png_set_sPLT(png_const_structrp png_ptr,png_inforp info_ptr,png_const_sPLT_tp entries,int nentries)1015 png_set_sPLT(png_const_structrp png_ptr,
1016 png_inforp info_ptr, png_const_sPLT_tp entries, int nentries)
1017 /*
1018 * entries - array of png_sPLT_t structures
1019 * to be added to the list of palettes
1020 * in the info structure.
1021 *
1022 * nentries - number of palette structures to be
1023 * added.
1024 */
1025 {
1026 png_sPLT_tp np;
1027
1028 if (png_ptr == NULL || info_ptr == NULL || nentries <= 0 || entries == NULL)
1029 return;
1030
1031 /* Use the internal realloc function, which checks for all the possible
1032 * overflows. Notice that the parameters are (int) and (size_t)
1033 */
1034 np = png_voidcast(png_sPLT_tp,png_realloc_array(png_ptr,
1035 info_ptr->splt_palettes, info_ptr->splt_palettes_num, nentries,
1036 sizeof *np));
1037
1038 if (np == NULL)
1039 {
1040 /* Out of memory or too many chunks */
1041 png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR);
1042
1043 return;
1044 }
1045
1046 png_free(png_ptr, info_ptr->splt_palettes);
1047 info_ptr->splt_palettes = np;
1048 info_ptr->free_me |= PNG_FREE_SPLT;
1049
1050 np += info_ptr->splt_palettes_num;
1051
1052 do
1053 {
1054 png_size_t length;
1055
1056 /* Skip invalid input entries */
1057 if (entries->name == NULL || entries->entries == NULL)
1058 {
1059 /* png_handle_sPLT doesn't do this, so this is an app error */
1060 png_app_error(png_ptr, "png_set_sPLT: invalid sPLT");
1061 /* Just skip the invalid entry */
1062 continue;
1063 }
1064
1065 np->depth = entries->depth;
1066
1067 /* In the event of out-of-memory just return - there's no point keeping
1068 * on trying to add sPLT chunks.
1069 */
1070 length = strlen(entries->name) + 1;
1071 np->name = png_voidcast(png_charp, png_malloc_base(png_ptr, length));
1072
1073 if (np->name == NULL)
1074 break;
1075
1076 memcpy(np->name, entries->name, length);
1077
1078 /* IMPORTANT: we have memory now that won't get freed if something else
1079 * goes wrong; this code must free it. png_malloc_array produces no
1080 * warnings; use a png_chunk_report (below) if there is an error.
1081 */
1082 np->entries = png_voidcast(png_sPLT_entryp, png_malloc_array(png_ptr,
1083 entries->nentries, sizeof (png_sPLT_entry)));
1084
1085 if (np->entries == NULL)
1086 {
1087 png_free(png_ptr, np->name);
1088 np->name = NULL;
1089 break;
1090 }
1091
1092 np->nentries = entries->nentries;
1093 /* This multiply can't overflow because png_malloc_array has already
1094 * checked it when doing the allocation.
1095 */
1096 memcpy(np->entries, entries->entries,
1097 (unsigned int)entries->nentries * sizeof (png_sPLT_entry));
1098
1099 /* Note that 'continue' skips the advance of the out pointer and out
1100 * count, so an invalid entry is not added.
1101 */
1102 info_ptr->valid |= PNG_INFO_sPLT;
1103 ++(info_ptr->splt_palettes_num);
1104 ++np;
1105 }
1106 while (++entries, --nentries);
1107
1108 if (nentries > 0)
1109 png_chunk_report(png_ptr, "sPLT out of memory", PNG_CHUNK_WRITE_ERROR);
1110 }
1111 #endif /* sPLT */
1112
1113 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
1114 static png_byte
check_location(png_const_structrp png_ptr,int location)1115 check_location(png_const_structrp png_ptr, int location)
1116 {
1117 location &= (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT);
1118
1119 /* New in 1.6.0; copy the location and check it. This is an API
1120 * change; previously the app had to use the
1121 * png_set_unknown_chunk_location API below for each chunk.
1122 */
1123 if (location == 0 && (png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1124 {
1125 /* Write struct, so unknown chunks come from the app */
1126 png_app_warning(png_ptr,
1127 "png_set_unknown_chunks now expects a valid location");
1128 /* Use the old behavior */
1129 location = (png_byte)(png_ptr->mode &
1130 (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT));
1131 }
1132
1133 /* This need not be an internal error - if the app calls
1134 * png_set_unknown_chunks on a read pointer it must get the location right.
1135 */
1136 if (location == 0)
1137 png_error(png_ptr, "invalid location in png_set_unknown_chunks");
1138
1139 /* Now reduce the location to the top-most set bit by removing each least
1140 * significant bit in turn.
1141 */
1142 while (location != (location & -location))
1143 location &= ~(location & -location);
1144
1145 /* The cast is safe because 'location' is a bit mask and only the low four
1146 * bits are significant.
1147 */
1148 return (png_byte)location;
1149 }
1150
1151 void PNGAPI
png_set_unknown_chunks(png_const_structrp png_ptr,png_inforp info_ptr,png_const_unknown_chunkp unknowns,int num_unknowns)1152 png_set_unknown_chunks(png_const_structrp png_ptr,
1153 png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns)
1154 {
1155 png_unknown_chunkp np;
1156
1157 if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0 ||
1158 unknowns == NULL)
1159 return;
1160
1161 /* Check for the failure cases where support has been disabled at compile
1162 * time. This code is hardly ever compiled - it's here because
1163 * STORE_UNKNOWN_CHUNKS is set by both read and write code (compiling in this
1164 * code) but may be meaningless if the read or write handling of unknown
1165 * chunks is not compiled in.
1166 */
1167 # if !defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) && \
1168 defined(PNG_READ_SUPPORTED)
1169 if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1170 {
1171 png_app_error(png_ptr, "no unknown chunk support on read");
1172
1173 return;
1174 }
1175 # endif
1176 # if !defined(PNG_WRITE_UNKNOWN_CHUNKS_SUPPORTED) && \
1177 defined(PNG_WRITE_SUPPORTED)
1178 if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1179 {
1180 png_app_error(png_ptr, "no unknown chunk support on write");
1181
1182 return;
1183 }
1184 # endif
1185
1186 /* Prior to 1.6.0 this code used png_malloc_warn; however, this meant that
1187 * unknown critical chunks could be lost with just a warning resulting in
1188 * undefined behavior. Now png_chunk_report is used to provide behavior
1189 * appropriate to read or write.
1190 */
1191 np = png_voidcast(png_unknown_chunkp, png_realloc_array(png_ptr,
1192 info_ptr->unknown_chunks, info_ptr->unknown_chunks_num, num_unknowns,
1193 sizeof *np));
1194
1195 if (np == NULL)
1196 {
1197 png_chunk_report(png_ptr, "too many unknown chunks",
1198 PNG_CHUNK_WRITE_ERROR);
1199
1200 return;
1201 }
1202
1203 png_free(png_ptr, info_ptr->unknown_chunks);
1204 info_ptr->unknown_chunks = np; /* safe because it is initialized */
1205 info_ptr->free_me |= PNG_FREE_UNKN;
1206
1207 np += info_ptr->unknown_chunks_num;
1208
1209 /* Increment unknown_chunks_num each time round the loop to protect the
1210 * just-allocated chunk data.
1211 */
1212 for (; num_unknowns > 0; --num_unknowns, ++unknowns)
1213 {
1214 memcpy(np->name, unknowns->name, (sizeof np->name));
1215 np->name[(sizeof np->name)-1] = '\0';
1216 np->location = check_location(png_ptr, unknowns->location);
1217
1218 if (unknowns->size == 0)
1219 {
1220 np->data = NULL;
1221 np->size = 0;
1222 }
1223
1224 else
1225 {
1226 np->data = png_voidcast(png_bytep,
1227 png_malloc_base(png_ptr, unknowns->size));
1228
1229 if (np->data == NULL)
1230 {
1231 png_chunk_report(png_ptr, "unknown chunk: out of memory",
1232 PNG_CHUNK_WRITE_ERROR);
1233 /* But just skip storing the unknown chunk */
1234 continue;
1235 }
1236
1237 memcpy(np->data, unknowns->data, unknowns->size);
1238 np->size = unknowns->size;
1239 }
1240
1241 /* These increments are skipped on out-of-memory for the data - the
1242 * unknown chunk entry gets overwritten if the png_chunk_report returns.
1243 * This is correct in the read case (the chunk is just dropped.)
1244 */
1245 ++np;
1246 ++(info_ptr->unknown_chunks_num);
1247 }
1248 }
1249
1250 void PNGAPI
png_set_unknown_chunk_location(png_const_structrp png_ptr,png_inforp info_ptr,int chunk,int location)1251 png_set_unknown_chunk_location(png_const_structrp png_ptr, png_inforp info_ptr,
1252 int chunk, int location)
1253 {
1254 /* This API is pretty pointless in 1.6.0 because the location can be set
1255 * before the call to png_set_unknown_chunks.
1256 *
1257 * TODO: add a png_app_warning in 1.7
1258 */
1259 if (png_ptr != NULL && info_ptr != NULL && chunk >= 0 &&
1260 chunk < info_ptr->unknown_chunks_num)
1261 {
1262 if ((location & (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT)) == 0)
1263 {
1264 png_app_error(png_ptr, "invalid unknown chunk location");
1265 /* Fake out the pre 1.6.0 behavior: */
1266 if (((unsigned int)location & PNG_HAVE_IDAT) != 0) /* undocumented! */
1267 location = PNG_AFTER_IDAT;
1268
1269 else
1270 location = PNG_HAVE_IHDR; /* also undocumented */
1271 }
1272
1273 info_ptr->unknown_chunks[chunk].location =
1274 check_location(png_ptr, location);
1275 }
1276 }
1277 #endif /* STORE_UNKNOWN_CHUNKS */
1278
1279 #ifdef PNG_MNG_FEATURES_SUPPORTED
1280 png_uint_32 PNGAPI
png_permit_mng_features(png_structrp png_ptr,png_uint_32 mng_features)1281 png_permit_mng_features (png_structrp png_ptr, png_uint_32 mng_features)
1282 {
1283 png_debug(1, "in png_permit_mng_features");
1284
1285 if (png_ptr == NULL)
1286 return 0;
1287
1288 png_ptr->mng_features_permitted = mng_features & PNG_ALL_MNG_FEATURES;
1289
1290 return png_ptr->mng_features_permitted;
1291 }
1292 #endif
1293
1294 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
1295 static unsigned int
add_one_chunk(png_bytep list,unsigned int count,png_const_bytep add,int keep)1296 add_one_chunk(png_bytep list, unsigned int count, png_const_bytep add, int keep)
1297 {
1298 unsigned int i;
1299
1300 /* Utility function: update the 'keep' state of a chunk if it is already in
1301 * the list, otherwise add it to the list.
1302 */
1303 for (i=0; i<count; ++i, list += 5)
1304 {
1305 if (memcmp(list, add, 4) == 0)
1306 {
1307 list[4] = (png_byte)keep;
1308
1309 return count;
1310 }
1311 }
1312
1313 if (keep != PNG_HANDLE_CHUNK_AS_DEFAULT)
1314 {
1315 ++count;
1316 memcpy(list, add, 4);
1317 list[4] = (png_byte)keep;
1318 }
1319
1320 return count;
1321 }
1322
1323 void PNGAPI
png_set_keep_unknown_chunks(png_structrp png_ptr,int keep,png_const_bytep chunk_list,int num_chunks_in)1324 png_set_keep_unknown_chunks(png_structrp png_ptr, int keep,
1325 png_const_bytep chunk_list, int num_chunks_in)
1326 {
1327 png_bytep new_list;
1328 unsigned int num_chunks, old_num_chunks;
1329
1330 if (png_ptr == NULL)
1331 return;
1332
1333 if (keep < 0 || keep >= PNG_HANDLE_CHUNK_LAST)
1334 {
1335 png_app_error(png_ptr, "png_set_keep_unknown_chunks: invalid keep");
1336
1337 return;
1338 }
1339
1340 if (num_chunks_in <= 0)
1341 {
1342 png_ptr->unknown_default = keep;
1343
1344 /* '0' means just set the flags, so stop here */
1345 if (num_chunks_in == 0)
1346 return;
1347 }
1348
1349 if (num_chunks_in < 0)
1350 {
1351 /* Ignore all unknown chunks and all chunks recognized by
1352 * libpng except for IHDR, PLTE, tRNS, IDAT, and IEND
1353 */
1354 static PNG_CONST png_byte chunks_to_ignore[] = {
1355 98, 75, 71, 68, '\0', /* bKGD */
1356 99, 72, 82, 77, '\0', /* cHRM */
1357 103, 65, 77, 65, '\0', /* gAMA */
1358 104, 73, 83, 84, '\0', /* hIST */
1359 105, 67, 67, 80, '\0', /* iCCP */
1360 105, 84, 88, 116, '\0', /* iTXt */
1361 111, 70, 70, 115, '\0', /* oFFs */
1362 112, 67, 65, 76, '\0', /* pCAL */
1363 112, 72, 89, 115, '\0', /* pHYs */
1364 115, 66, 73, 84, '\0', /* sBIT */
1365 115, 67, 65, 76, '\0', /* sCAL */
1366 115, 80, 76, 84, '\0', /* sPLT */
1367 115, 84, 69, 82, '\0', /* sTER */
1368 115, 82, 71, 66, '\0', /* sRGB */
1369 116, 69, 88, 116, '\0', /* tEXt */
1370 116, 73, 77, 69, '\0', /* tIME */
1371 122, 84, 88, 116, '\0' /* zTXt */
1372 };
1373
1374 chunk_list = chunks_to_ignore;
1375 num_chunks = (unsigned int)/*SAFE*/(sizeof chunks_to_ignore)/5U;
1376 }
1377
1378 else /* num_chunks_in > 0 */
1379 {
1380 if (chunk_list == NULL)
1381 {
1382 /* Prior to 1.6.0 this was silently ignored, now it is an app_error
1383 * which can be switched off.
1384 */
1385 png_app_error(png_ptr, "png_set_keep_unknown_chunks: no chunk list");
1386
1387 return;
1388 }
1389
1390 num_chunks = (unsigned int)num_chunks_in;
1391 }
1392
1393 old_num_chunks = png_ptr->num_chunk_list;
1394 if (png_ptr->chunk_list == NULL)
1395 old_num_chunks = 0;
1396
1397 /* Since num_chunks is always restricted to UINT_MAX/5 this can't overflow.
1398 */
1399 if (num_chunks + old_num_chunks > UINT_MAX/5)
1400 {
1401 png_app_error(png_ptr, "png_set_keep_unknown_chunks: too many chunks");
1402
1403 return;
1404 }
1405
1406 /* If these chunks are being reset to the default then no more memory is
1407 * required because add_one_chunk above doesn't extend the list if the 'keep'
1408 * parameter is the default.
1409 */
1410 if (keep != 0)
1411 {
1412 new_list = png_voidcast(png_bytep, png_malloc(png_ptr,
1413 5 * (num_chunks + old_num_chunks)));
1414
1415 if (old_num_chunks > 0)
1416 memcpy(new_list, png_ptr->chunk_list, 5*old_num_chunks);
1417 }
1418
1419 else if (old_num_chunks > 0)
1420 new_list = png_ptr->chunk_list;
1421
1422 else
1423 new_list = NULL;
1424
1425 /* Add the new chunks together with each one's handling code. If the chunk
1426 * already exists the code is updated, otherwise the chunk is added to the
1427 * end. (In libpng 1.6.0 order no longer matters because this code enforces
1428 * the earlier convention that the last setting is the one that is used.)
1429 */
1430 if (new_list != NULL)
1431 {
1432 png_const_bytep inlist;
1433 png_bytep outlist;
1434 unsigned int i;
1435
1436 for (i=0; i<num_chunks; ++i)
1437 {
1438 old_num_chunks = add_one_chunk(new_list, old_num_chunks,
1439 chunk_list+5*i, keep);
1440 }
1441
1442 /* Now remove any spurious 'default' entries. */
1443 num_chunks = 0;
1444 for (i=0, inlist=outlist=new_list; i<old_num_chunks; ++i, inlist += 5)
1445 {
1446 if (inlist[4])
1447 {
1448 if (outlist != inlist)
1449 memcpy(outlist, inlist, 5);
1450 outlist += 5;
1451 ++num_chunks;
1452 }
1453 }
1454
1455 /* This means the application has removed all the specialized handling. */
1456 if (num_chunks == 0)
1457 {
1458 if (png_ptr->chunk_list != new_list)
1459 png_free(png_ptr, new_list);
1460
1461 new_list = NULL;
1462 }
1463 }
1464
1465 else
1466 num_chunks = 0;
1467
1468 png_ptr->num_chunk_list = num_chunks;
1469
1470 if (png_ptr->chunk_list != new_list)
1471 {
1472 if (png_ptr->chunk_list != NULL)
1473 png_free(png_ptr, png_ptr->chunk_list);
1474
1475 png_ptr->chunk_list = new_list;
1476 }
1477 }
1478 #endif
1479
1480 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
1481 void PNGAPI
png_set_read_user_chunk_fn(png_structrp png_ptr,png_voidp user_chunk_ptr,png_user_chunk_ptr read_user_chunk_fn)1482 png_set_read_user_chunk_fn(png_structrp png_ptr, png_voidp user_chunk_ptr,
1483 png_user_chunk_ptr read_user_chunk_fn)
1484 {
1485 png_debug(1, "in png_set_read_user_chunk_fn");
1486
1487 if (png_ptr == NULL)
1488 return;
1489
1490 png_ptr->read_user_chunk_fn = read_user_chunk_fn;
1491 png_ptr->user_chunk_ptr = user_chunk_ptr;
1492 }
1493 #endif
1494
1495 #ifdef PNG_INFO_IMAGE_SUPPORTED
1496 void PNGAPI
png_set_rows(png_const_structrp png_ptr,png_inforp info_ptr,png_bytepp row_pointers)1497 png_set_rows(png_const_structrp png_ptr, png_inforp info_ptr,
1498 png_bytepp row_pointers)
1499 {
1500 png_debug1(1, "in %s storage function", "rows");
1501
1502 if (png_ptr == NULL || info_ptr == NULL)
1503 return;
1504
1505 if (info_ptr->row_pointers != NULL &&
1506 (info_ptr->row_pointers != row_pointers))
1507 png_free_data(png_ptr, info_ptr, PNG_FREE_ROWS, 0);
1508
1509 info_ptr->row_pointers = row_pointers;
1510
1511 if (row_pointers != NULL)
1512 info_ptr->valid |= PNG_INFO_IDAT;
1513 }
1514 #endif
1515
1516 void PNGAPI
png_set_compression_buffer_size(png_structrp png_ptr,png_size_t size)1517 png_set_compression_buffer_size(png_structrp png_ptr, png_size_t size)
1518 {
1519 if (png_ptr == NULL)
1520 return;
1521
1522 if (size == 0 || size > PNG_UINT_31_MAX)
1523 png_error(png_ptr, "invalid compression buffer size");
1524
1525 # ifdef PNG_SEQUENTIAL_READ_SUPPORTED
1526 if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1527 {
1528 png_ptr->IDAT_read_size = (png_uint_32)size; /* checked above */
1529 return;
1530 }
1531 # endif
1532
1533 # ifdef PNG_WRITE_SUPPORTED
1534 if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1535 {
1536 if (png_ptr->zowner != 0)
1537 {
1538 png_warning(png_ptr,
1539 "Compression buffer size cannot be changed because it is in use");
1540
1541 return;
1542 }
1543
1544 #ifndef __COVERITY__
1545 /* Some compilers complain that this is always false. However, it
1546 * can be true when integer overflow happens.
1547 */
1548 if (size > ZLIB_IO_MAX)
1549 {
1550 png_warning(png_ptr,
1551 "Compression buffer size limited to system maximum");
1552 size = ZLIB_IO_MAX; /* must fit */
1553 }
1554 #endif
1555
1556 if (size < 6)
1557 {
1558 /* Deflate will potentially go into an infinite loop on a SYNC_FLUSH
1559 * if this is permitted.
1560 */
1561 png_warning(png_ptr,
1562 "Compression buffer size cannot be reduced below 6");
1563
1564 return;
1565 }
1566
1567 if (png_ptr->zbuffer_size != size)
1568 {
1569 png_free_buffer_list(png_ptr, &png_ptr->zbuffer_list);
1570 png_ptr->zbuffer_size = (uInt)size;
1571 }
1572 }
1573 # endif
1574 }
1575
1576 void PNGAPI
png_set_invalid(png_const_structrp png_ptr,png_inforp info_ptr,int mask)1577 png_set_invalid(png_const_structrp png_ptr, png_inforp info_ptr, int mask)
1578 {
1579 if (png_ptr != NULL && info_ptr != NULL)
1580 info_ptr->valid &= (unsigned int)(~mask);
1581 }
1582
1583
1584 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
1585 /* This function was added to libpng 1.2.6 */
1586 void PNGAPI
png_set_user_limits(png_structrp png_ptr,png_uint_32 user_width_max,png_uint_32 user_height_max)1587 png_set_user_limits (png_structrp png_ptr, png_uint_32 user_width_max,
1588 png_uint_32 user_height_max)
1589 {
1590 /* Images with dimensions larger than these limits will be
1591 * rejected by png_set_IHDR(). To accept any PNG datastream
1592 * regardless of dimensions, set both limits to 0x7fffffff.
1593 */
1594 if (png_ptr == NULL)
1595 return;
1596
1597 png_ptr->user_width_max = user_width_max;
1598 png_ptr->user_height_max = user_height_max;
1599 }
1600
1601 /* This function was added to libpng 1.4.0 */
1602 void PNGAPI
png_set_chunk_cache_max(png_structrp png_ptr,png_uint_32 user_chunk_cache_max)1603 png_set_chunk_cache_max (png_structrp png_ptr, png_uint_32 user_chunk_cache_max)
1604 {
1605 if (png_ptr != NULL)
1606 png_ptr->user_chunk_cache_max = user_chunk_cache_max;
1607 }
1608
1609 /* This function was added to libpng 1.4.1 */
1610 void PNGAPI
png_set_chunk_malloc_max(png_structrp png_ptr,png_alloc_size_t user_chunk_malloc_max)1611 png_set_chunk_malloc_max (png_structrp png_ptr,
1612 png_alloc_size_t user_chunk_malloc_max)
1613 {
1614 if (png_ptr != NULL)
1615 png_ptr->user_chunk_malloc_max = user_chunk_malloc_max;
1616 }
1617 #endif /* ?SET_USER_LIMITS */
1618
1619
1620 #ifdef PNG_BENIGN_ERRORS_SUPPORTED
1621 void PNGAPI
png_set_benign_errors(png_structrp png_ptr,int allowed)1622 png_set_benign_errors(png_structrp png_ptr, int allowed)
1623 {
1624 png_debug(1, "in png_set_benign_errors");
1625
1626 /* If allowed is 1, png_benign_error() is treated as a warning.
1627 *
1628 * If allowed is 0, png_benign_error() is treated as an error (which
1629 * is the default behavior if png_set_benign_errors() is not called).
1630 */
1631
1632 if (allowed != 0)
1633 png_ptr->flags |= PNG_FLAG_BENIGN_ERRORS_WARN |
1634 PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN;
1635
1636 else
1637 png_ptr->flags &= ~(PNG_FLAG_BENIGN_ERRORS_WARN |
1638 PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN);
1639 }
1640 #endif /* BENIGN_ERRORS */
1641
1642 #ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED
1643 /* Whether to report invalid palette index; added at libng-1.5.10.
1644 * It is possible for an indexed (color-type==3) PNG file to contain
1645 * pixels with invalid (out-of-range) indexes if the PLTE chunk has
1646 * fewer entries than the image's bit-depth would allow. We recover
1647 * from this gracefully by filling any incomplete palette with zeros
1648 * (opaque black). By default, when this occurs libpng will issue
1649 * a benign error. This API can be used to override that behavior.
1650 */
1651 void PNGAPI
png_set_check_for_invalid_index(png_structrp png_ptr,int allowed)1652 png_set_check_for_invalid_index(png_structrp png_ptr, int allowed)
1653 {
1654 png_debug(1, "in png_set_check_for_invalid_index");
1655
1656 if (allowed > 0)
1657 png_ptr->num_palette_max = 0;
1658
1659 else
1660 png_ptr->num_palette_max = -1;
1661 }
1662 #endif
1663
1664 #if defined(PNG_TEXT_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) || \
1665 defined(PNG_iCCP_SUPPORTED) || defined(PNG_sPLT_SUPPORTED)
1666 /* Check that the tEXt or zTXt keyword is valid per PNG 1.0 specification,
1667 * and if invalid, correct the keyword rather than discarding the entire
1668 * chunk. The PNG 1.0 specification requires keywords 1-79 characters in
1669 * length, forbids leading or trailing whitespace, multiple internal spaces,
1670 * and the non-break space (0x80) from ISO 8859-1. Returns keyword length.
1671 *
1672 * The 'new_key' buffer must be 80 characters in size (for the keyword plus a
1673 * trailing '\0'). If this routine returns 0 then there was no keyword, or a
1674 * valid one could not be generated, and the caller must png_error.
1675 */
1676 png_uint_32 /* PRIVATE */
png_check_keyword(png_structrp png_ptr,png_const_charp key,png_bytep new_key)1677 png_check_keyword(png_structrp png_ptr, png_const_charp key, png_bytep new_key)
1678 {
1679 #ifdef PNG_WARNINGS_SUPPORTED
1680 png_const_charp orig_key = key;
1681 #endif
1682 png_uint_32 key_len = 0;
1683 int bad_character = 0;
1684 int space = 1;
1685
1686 png_debug(1, "in png_check_keyword");
1687
1688 if (key == NULL)
1689 {
1690 *new_key = 0;
1691 return 0;
1692 }
1693
1694 while (*key && key_len < 79)
1695 {
1696 png_byte ch = (png_byte)*key++;
1697
1698 if ((ch > 32 && ch <= 126) || (ch >= 161 /*&& ch <= 255*/))
1699 *new_key++ = ch, ++key_len, space = 0;
1700
1701 else if (space == 0)
1702 {
1703 /* A space or an invalid character when one wasn't seen immediately
1704 * before; output just a space.
1705 */
1706 *new_key++ = 32, ++key_len, space = 1;
1707
1708 /* If the character was not a space then it is invalid. */
1709 if (ch != 32)
1710 bad_character = ch;
1711 }
1712
1713 else if (bad_character == 0)
1714 bad_character = ch; /* just skip it, record the first error */
1715 }
1716
1717 if (key_len > 0 && space != 0) /* trailing space */
1718 {
1719 --key_len, --new_key;
1720 if (bad_character == 0)
1721 bad_character = 32;
1722 }
1723
1724 /* Terminate the keyword */
1725 *new_key = 0;
1726
1727 if (key_len == 0)
1728 return 0;
1729
1730 #ifdef PNG_WARNINGS_SUPPORTED
1731 /* Try to only output one warning per keyword: */
1732 if (*key != 0) /* keyword too long */
1733 png_warning(png_ptr, "keyword truncated");
1734
1735 else if (bad_character != 0)
1736 {
1737 PNG_WARNING_PARAMETERS(p)
1738
1739 png_warning_parameter(p, 1, orig_key);
1740 png_warning_parameter_signed(p, 2, PNG_NUMBER_FORMAT_02x, bad_character);
1741
1742 png_formatted_warning(png_ptr, p, "keyword \"@1\": bad character '0x@2'");
1743 }
1744 #else /* !WARNINGS */
1745 PNG_UNUSED(png_ptr)
1746 #endif /* !WARNINGS */
1747
1748 return key_len;
1749 }
1750 #endif /* TEXT || pCAL || iCCP || sPLT */
1751 #endif /* READ || WRITE */
1752