1
2 /* png.c - location for general purpose libpng functions
3 *
4 * Last changed in libpng 1.6.26 [October 20, 2016]
5 * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14 #include "pngpriv.h"
15
16 /* Generate a compiler error if there is an old png.h in the search path. */
17 typedef png_libpng_version_1_6_26 Your_png_h_is_not_version_1_6_26;
18
19 /* Tells libpng that we have already handled the first "num_bytes" bytes
20 * of the PNG file signature. If the PNG data is embedded into another
21 * stream we can set num_bytes = 8 so that libpng will not attempt to read
22 * or write any of the magic bytes before it starts on the IHDR.
23 */
24
25 #ifdef PNG_READ_SUPPORTED
26 void PNGAPI
png_set_sig_bytes(png_structrp png_ptr,int num_bytes)27 png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
28 {
29 unsigned int nb = (unsigned int)num_bytes;
30
31 png_debug(1, "in png_set_sig_bytes");
32
33 if (png_ptr == NULL)
34 return;
35
36 if (num_bytes < 0)
37 nb = 0;
38
39 if (nb > 8)
40 png_error(png_ptr, "Too many bytes for PNG signature");
41
42 png_ptr->sig_bytes = (png_byte)nb;
43 }
44
45 /* Checks whether the supplied bytes match the PNG signature. We allow
46 * checking less than the full 8-byte signature so that those apps that
47 * already read the first few bytes of a file to determine the file type
48 * can simply check the remaining bytes for extra assurance. Returns
49 * an integer less than, equal to, or greater than zero if sig is found,
50 * respectively, to be less than, to match, or be greater than the correct
51 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
52 */
53 int PNGAPI
png_sig_cmp(png_const_bytep sig,png_size_t start,png_size_t num_to_check)54 png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check)
55 {
56 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
57
58 if (num_to_check > 8)
59 num_to_check = 8;
60
61 else if (num_to_check < 1)
62 return (-1);
63
64 if (start > 7)
65 return (-1);
66
67 if (start + num_to_check > 8)
68 num_to_check = 8 - start;
69
70 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
71 }
72
73 #endif /* READ */
74
75 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
76 /* Function to allocate memory for zlib */
77 PNG_FUNCTION(voidpf /* PRIVATE */,
78 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
79 {
80 png_alloc_size_t num_bytes = size;
81
82 if (png_ptr == NULL)
83 return NULL;
84
85 if (items >= (~(png_alloc_size_t)0)/size)
86 {
87 png_warning (png_voidcast(png_structrp, png_ptr),
88 "Potential overflow in png_zalloc()");
89 return NULL;
90 }
91
92 num_bytes *= items;
93 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
94 }
95
96 /* Function to free memory for zlib */
97 void /* PRIVATE */
png_zfree(voidpf png_ptr,voidpf ptr)98 png_zfree(voidpf png_ptr, voidpf ptr)
99 {
100 png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
101 }
102
103 /* Reset the CRC variable to 32 bits of 1's. Care must be taken
104 * in case CRC is > 32 bits to leave the top bits 0.
105 */
106 void /* PRIVATE */
png_reset_crc(png_structrp png_ptr)107 png_reset_crc(png_structrp png_ptr)
108 {
109 /* The cast is safe because the crc is a 32-bit value. */
110 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
111 }
112
113 /* Calculate the CRC over a section of data. We can only pass as
114 * much data to this routine as the largest single buffer size. We
115 * also check that this data will actually be used before going to the
116 * trouble of calculating it.
117 */
118 void /* PRIVATE */
png_calculate_crc(png_structrp png_ptr,png_const_bytep ptr,png_size_t length)119 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length)
120 {
121 int need_crc = 1;
122
123 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
124 {
125 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
126 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
127 need_crc = 0;
128 }
129
130 else /* critical */
131 {
132 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
133 need_crc = 0;
134 }
135
136 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
137 * systems it is a 64-bit value. crc32, however, returns 32 bits so the
138 * following cast is safe. 'uInt' may be no more than 16 bits, so it is
139 * necessary to perform a loop here.
140 */
141 if (need_crc != 0 && length > 0)
142 {
143 uLong crc = png_ptr->crc; /* Should never issue a warning */
144
145 do
146 {
147 uInt safe_length = (uInt)length;
148 #ifndef __COVERITY__
149 if (safe_length == 0)
150 safe_length = (uInt)-1; /* evil, but safe */
151 #endif
152
153 crc = crc32(crc, ptr, safe_length);
154
155 /* The following should never issue compiler warnings; if they do the
156 * target system has characteristics that will probably violate other
157 * assumptions within the libpng code.
158 */
159 ptr += safe_length;
160 length -= safe_length;
161 }
162 while (length > 0);
163
164 /* And the following is always safe because the crc is only 32 bits. */
165 png_ptr->crc = (png_uint_32)crc;
166 }
167 }
168
169 /* Check a user supplied version number, called from both read and write
170 * functions that create a png_struct.
171 */
172 int
png_user_version_check(png_structrp png_ptr,png_const_charp user_png_ver)173 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
174 {
175 /* Libpng versions 1.0.0 and later are binary compatible if the version
176 * string matches through the second '.'; we must recompile any
177 * applications that use any older library version.
178 */
179
180 if (user_png_ver != NULL)
181 {
182 int i = -1;
183 int found_dots = 0;
184
185 do
186 {
187 i++;
188 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
189 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
190 if (user_png_ver[i] == '.')
191 found_dots++;
192 } while (found_dots < 2 && user_png_ver[i] != 0 &&
193 PNG_LIBPNG_VER_STRING[i] != 0);
194 }
195
196 else
197 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
198
199 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
200 {
201 #ifdef PNG_WARNINGS_SUPPORTED
202 size_t pos = 0;
203 char m[128];
204
205 pos = png_safecat(m, (sizeof m), pos,
206 "Application built with libpng-");
207 pos = png_safecat(m, (sizeof m), pos, user_png_ver);
208 pos = png_safecat(m, (sizeof m), pos, " but running with ");
209 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
210 PNG_UNUSED(pos)
211
212 png_warning(png_ptr, m);
213 #endif
214
215 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
216 png_ptr->flags = 0;
217 #endif
218
219 return 0;
220 }
221
222 /* Success return. */
223 return 1;
224 }
225
226 /* Generic function to create a png_struct for either read or write - this
227 * contains the common initialization.
228 */
229 PNG_FUNCTION(png_structp /* PRIVATE */,
230 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
231 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
232 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
233 {
234 png_struct create_struct;
235 # ifdef PNG_SETJMP_SUPPORTED
236 jmp_buf create_jmp_buf;
237 # endif
238
239 /* This temporary stack-allocated structure is used to provide a place to
240 * build enough context to allow the user provided memory allocator (if any)
241 * to be called.
242 */
243 memset(&create_struct, 0, (sizeof create_struct));
244
245 /* Added at libpng-1.2.6 */
246 # ifdef PNG_USER_LIMITS_SUPPORTED
247 create_struct.user_width_max = PNG_USER_WIDTH_MAX;
248 create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
249
250 # ifdef PNG_USER_CHUNK_CACHE_MAX
251 /* Added at libpng-1.2.43 and 1.4.0 */
252 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
253 # endif
254
255 # ifdef PNG_USER_CHUNK_MALLOC_MAX
256 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
257 * in png_struct regardless.
258 */
259 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
260 # endif
261 # endif
262
263 /* The following two API calls simply set fields in png_struct, so it is safe
264 * to do them now even though error handling is not yet set up.
265 */
266 # ifdef PNG_USER_MEM_SUPPORTED
267 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
268 # else
269 PNG_UNUSED(mem_ptr)
270 PNG_UNUSED(malloc_fn)
271 PNG_UNUSED(free_fn)
272 # endif
273
274 /* (*error_fn) can return control to the caller after the error_ptr is set,
275 * this will result in a memory leak unless the error_fn does something
276 * extremely sophisticated. The design lacks merit but is implicit in the
277 * API.
278 */
279 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
280
281 # ifdef PNG_SETJMP_SUPPORTED
282 if (!setjmp(create_jmp_buf))
283 # endif
284 {
285 # ifdef PNG_SETJMP_SUPPORTED
286 /* Temporarily fake out the longjmp information until we have
287 * successfully completed this function. This only works if we have
288 * setjmp() support compiled in, but it is safe - this stuff should
289 * never happen.
290 */
291 create_struct.jmp_buf_ptr = &create_jmp_buf;
292 create_struct.jmp_buf_size = 0; /*stack allocation*/
293 create_struct.longjmp_fn = longjmp;
294 # endif
295 /* Call the general version checker (shared with read and write code):
296 */
297 if (png_user_version_check(&create_struct, user_png_ver) != 0)
298 {
299 png_structrp png_ptr = png_voidcast(png_structrp,
300 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
301
302 if (png_ptr != NULL)
303 {
304 /* png_ptr->zstream holds a back-pointer to the png_struct, so
305 * this can only be done now:
306 */
307 create_struct.zstream.zalloc = png_zalloc;
308 create_struct.zstream.zfree = png_zfree;
309 create_struct.zstream.opaque = png_ptr;
310
311 # ifdef PNG_SETJMP_SUPPORTED
312 /* Eliminate the local error handling: */
313 create_struct.jmp_buf_ptr = NULL;
314 create_struct.jmp_buf_size = 0;
315 create_struct.longjmp_fn = 0;
316 # endif
317
318 *png_ptr = create_struct;
319
320 /* This is the successful return point */
321 return png_ptr;
322 }
323 }
324 }
325
326 /* A longjmp because of a bug in the application storage allocator or a
327 * simple failure to allocate the png_struct.
328 */
329 return NULL;
330 }
331
332 /* Allocate the memory for an info_struct for the application. */
333 PNG_FUNCTION(png_infop,PNGAPI
334 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
335 {
336 png_inforp info_ptr;
337
338 png_debug(1, "in png_create_info_struct");
339
340 if (png_ptr == NULL)
341 return NULL;
342
343 /* Use the internal API that does not (or at least should not) error out, so
344 * that this call always returns ok. The application typically sets up the
345 * error handling *after* creating the info_struct because this is the way it
346 * has always been done in 'example.c'.
347 */
348 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
349 (sizeof *info_ptr)));
350
351 if (info_ptr != NULL)
352 memset(info_ptr, 0, (sizeof *info_ptr));
353
354 return info_ptr;
355 }
356
357 /* This function frees the memory associated with a single info struct.
358 * Normally, one would use either png_destroy_read_struct() or
359 * png_destroy_write_struct() to free an info struct, but this may be
360 * useful for some applications. From libpng 1.6.0 this function is also used
361 * internally to implement the png_info release part of the 'struct' destroy
362 * APIs. This ensures that all possible approaches free the same data (all of
363 * it).
364 */
365 void PNGAPI
png_destroy_info_struct(png_const_structrp png_ptr,png_infopp info_ptr_ptr)366 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
367 {
368 png_inforp info_ptr = NULL;
369
370 png_debug(1, "in png_destroy_info_struct");
371
372 if (png_ptr == NULL)
373 return;
374
375 if (info_ptr_ptr != NULL)
376 info_ptr = *info_ptr_ptr;
377
378 if (info_ptr != NULL)
379 {
380 /* Do this first in case of an error below; if the app implements its own
381 * memory management this can lead to png_free calling png_error, which
382 * will abort this routine and return control to the app error handler.
383 * An infinite loop may result if it then tries to free the same info
384 * ptr.
385 */
386 *info_ptr_ptr = NULL;
387
388 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
389 memset(info_ptr, 0, (sizeof *info_ptr));
390 png_free(png_ptr, info_ptr);
391 }
392 }
393
394 /* Initialize the info structure. This is now an internal function (0.89)
395 * and applications using it are urged to use png_create_info_struct()
396 * instead. Use deprecated in 1.6.0, internal use removed (used internally it
397 * is just a memset).
398 *
399 * NOTE: it is almost inconceivable that this API is used because it bypasses
400 * the user-memory mechanism and the user error handling/warning mechanisms in
401 * those cases where it does anything other than a memset.
402 */
403 PNG_FUNCTION(void,PNGAPI
404 png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size),
405 PNG_DEPRECATED)
406 {
407 png_inforp info_ptr = *ptr_ptr;
408
409 png_debug(1, "in png_info_init_3");
410
411 if (info_ptr == NULL)
412 return;
413
414 if ((sizeof (png_info)) > png_info_struct_size)
415 {
416 *ptr_ptr = NULL;
417 /* The following line is why this API should not be used: */
418 free(info_ptr);
419 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
420 (sizeof *info_ptr)));
421 if (info_ptr == NULL)
422 return;
423 *ptr_ptr = info_ptr;
424 }
425
426 /* Set everything to 0 */
427 memset(info_ptr, 0, (sizeof *info_ptr));
428 }
429
430 /* The following API is not called internally */
431 void PNGAPI
png_data_freer(png_const_structrp png_ptr,png_inforp info_ptr,int freer,png_uint_32 mask)432 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
433 int freer, png_uint_32 mask)
434 {
435 png_debug(1, "in png_data_freer");
436
437 if (png_ptr == NULL || info_ptr == NULL)
438 return;
439
440 if (freer == PNG_DESTROY_WILL_FREE_DATA)
441 info_ptr->free_me |= mask;
442
443 else if (freer == PNG_USER_WILL_FREE_DATA)
444 info_ptr->free_me &= ~mask;
445
446 else
447 png_error(png_ptr, "Unknown freer parameter in png_data_freer");
448 }
449
450 void PNGAPI
png_free_data(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 mask,int num)451 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
452 int num)
453 {
454 png_debug(1, "in png_free_data");
455
456 if (png_ptr == NULL || info_ptr == NULL)
457 return;
458
459 #ifdef PNG_TEXT_SUPPORTED
460 /* Free text item num or (if num == -1) all text items */
461 if (info_ptr->text != NULL &&
462 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
463 {
464 if (num != -1)
465 {
466 png_free(png_ptr, info_ptr->text[num].key);
467 info_ptr->text[num].key = NULL;
468 }
469
470 else
471 {
472 int i;
473
474 for (i = 0; i < info_ptr->num_text; i++)
475 png_free(png_ptr, info_ptr->text[i].key);
476
477 png_free(png_ptr, info_ptr->text);
478 info_ptr->text = NULL;
479 info_ptr->num_text = 0;
480 }
481 }
482 #endif
483
484 #ifdef PNG_tRNS_SUPPORTED
485 /* Free any tRNS entry */
486 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
487 {
488 info_ptr->valid &= ~PNG_INFO_tRNS;
489 png_free(png_ptr, info_ptr->trans_alpha);
490 info_ptr->trans_alpha = NULL;
491 info_ptr->num_trans = 0;
492 }
493 #endif
494
495 #ifdef PNG_sCAL_SUPPORTED
496 /* Free any sCAL entry */
497 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
498 {
499 png_free(png_ptr, info_ptr->scal_s_width);
500 png_free(png_ptr, info_ptr->scal_s_height);
501 info_ptr->scal_s_width = NULL;
502 info_ptr->scal_s_height = NULL;
503 info_ptr->valid &= ~PNG_INFO_sCAL;
504 }
505 #endif
506
507 #ifdef PNG_pCAL_SUPPORTED
508 /* Free any pCAL entry */
509 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
510 {
511 png_free(png_ptr, info_ptr->pcal_purpose);
512 png_free(png_ptr, info_ptr->pcal_units);
513 info_ptr->pcal_purpose = NULL;
514 info_ptr->pcal_units = NULL;
515
516 if (info_ptr->pcal_params != NULL)
517 {
518 int i;
519
520 for (i = 0; i < info_ptr->pcal_nparams; i++)
521 png_free(png_ptr, info_ptr->pcal_params[i]);
522
523 png_free(png_ptr, info_ptr->pcal_params);
524 info_ptr->pcal_params = NULL;
525 }
526 info_ptr->valid &= ~PNG_INFO_pCAL;
527 }
528 #endif
529
530 #ifdef PNG_iCCP_SUPPORTED
531 /* Free any profile entry */
532 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
533 {
534 png_free(png_ptr, info_ptr->iccp_name);
535 png_free(png_ptr, info_ptr->iccp_profile);
536 info_ptr->iccp_name = NULL;
537 info_ptr->iccp_profile = NULL;
538 info_ptr->valid &= ~PNG_INFO_iCCP;
539 }
540 #endif
541
542 #ifdef PNG_sPLT_SUPPORTED
543 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
544 if (info_ptr->splt_palettes != NULL &&
545 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
546 {
547 if (num != -1)
548 {
549 png_free(png_ptr, info_ptr->splt_palettes[num].name);
550 png_free(png_ptr, info_ptr->splt_palettes[num].entries);
551 info_ptr->splt_palettes[num].name = NULL;
552 info_ptr->splt_palettes[num].entries = NULL;
553 }
554
555 else
556 {
557 int i;
558
559 for (i = 0; i < info_ptr->splt_palettes_num; i++)
560 {
561 png_free(png_ptr, info_ptr->splt_palettes[i].name);
562 png_free(png_ptr, info_ptr->splt_palettes[i].entries);
563 }
564
565 png_free(png_ptr, info_ptr->splt_palettes);
566 info_ptr->splt_palettes = NULL;
567 info_ptr->splt_palettes_num = 0;
568 info_ptr->valid &= ~PNG_INFO_sPLT;
569 }
570 }
571 #endif
572
573 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
574 if (info_ptr->unknown_chunks != NULL &&
575 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
576 {
577 if (num != -1)
578 {
579 png_free(png_ptr, info_ptr->unknown_chunks[num].data);
580 info_ptr->unknown_chunks[num].data = NULL;
581 }
582
583 else
584 {
585 int i;
586
587 for (i = 0; i < info_ptr->unknown_chunks_num; i++)
588 png_free(png_ptr, info_ptr->unknown_chunks[i].data);
589
590 png_free(png_ptr, info_ptr->unknown_chunks);
591 info_ptr->unknown_chunks = NULL;
592 info_ptr->unknown_chunks_num = 0;
593 }
594 }
595 #endif
596
597 #ifdef PNG_hIST_SUPPORTED
598 /* Free any hIST entry */
599 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
600 {
601 png_free(png_ptr, info_ptr->hist);
602 info_ptr->hist = NULL;
603 info_ptr->valid &= ~PNG_INFO_hIST;
604 }
605 #endif
606
607 /* Free any PLTE entry that was internally allocated */
608 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
609 {
610 png_free(png_ptr, info_ptr->palette);
611 info_ptr->palette = NULL;
612 info_ptr->valid &= ~PNG_INFO_PLTE;
613 info_ptr->num_palette = 0;
614 }
615
616 #ifdef PNG_INFO_IMAGE_SUPPORTED
617 /* Free any image bits attached to the info structure */
618 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
619 {
620 if (info_ptr->row_pointers != NULL)
621 {
622 png_uint_32 row;
623 for (row = 0; row < info_ptr->height; row++)
624 png_free(png_ptr, info_ptr->row_pointers[row]);
625
626 png_free(png_ptr, info_ptr->row_pointers);
627 info_ptr->row_pointers = NULL;
628 }
629 info_ptr->valid &= ~PNG_INFO_IDAT;
630 }
631 #endif
632
633 if (num != -1)
634 mask &= ~PNG_FREE_MUL;
635
636 info_ptr->free_me &= ~mask;
637 }
638 #endif /* READ || WRITE */
639
640 /* This function returns a pointer to the io_ptr associated with the user
641 * functions. The application should free any memory associated with this
642 * pointer before png_write_destroy() or png_read_destroy() are called.
643 */
644 png_voidp PNGAPI
png_get_io_ptr(png_const_structrp png_ptr)645 png_get_io_ptr(png_const_structrp png_ptr)
646 {
647 if (png_ptr == NULL)
648 return (NULL);
649
650 return (png_ptr->io_ptr);
651 }
652
653 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
654 # ifdef PNG_STDIO_SUPPORTED
655 /* Initialize the default input/output functions for the PNG file. If you
656 * use your own read or write routines, you can call either png_set_read_fn()
657 * or png_set_write_fn() instead of png_init_io(). If you have defined
658 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
659 * function of your own because "FILE *" isn't necessarily available.
660 */
661 void PNGAPI
png_init_io(png_structrp png_ptr,png_FILE_p fp)662 png_init_io(png_structrp png_ptr, png_FILE_p fp)
663 {
664 png_debug(1, "in png_init_io");
665
666 if (png_ptr == NULL)
667 return;
668
669 png_ptr->io_ptr = (png_voidp)fp;
670 }
671 # endif
672
673 # ifdef PNG_SAVE_INT_32_SUPPORTED
674 /* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90
675 * defines a cast of a signed integer to an unsigned integer either to preserve
676 * the value, if it is positive, or to calculate:
677 *
678 * (UNSIGNED_MAX+1) + integer
679 *
680 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
681 * negative integral value is added the result will be an unsigned value
682 * correspnding to the 2's complement representation.
683 */
684 void PNGAPI
png_save_int_32(png_bytep buf,png_int_32 i)685 png_save_int_32(png_bytep buf, png_int_32 i)
686 {
687 png_save_uint_32(buf, (png_uint_32)i);
688 }
689 # endif
690
691 # ifdef PNG_TIME_RFC1123_SUPPORTED
692 /* Convert the supplied time into an RFC 1123 string suitable for use in
693 * a "Creation Time" or other text-based time string.
694 */
695 int PNGAPI
png_convert_to_rfc1123_buffer(char out[29],png_const_timep ptime)696 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
697 {
698 static PNG_CONST char short_months[12][4] =
699 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
700 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
701
702 if (out == NULL)
703 return 0;
704
705 if (ptime->year > 9999 /* RFC1123 limitation */ ||
706 ptime->month == 0 || ptime->month > 12 ||
707 ptime->day == 0 || ptime->day > 31 ||
708 ptime->hour > 23 || ptime->minute > 59 ||
709 ptime->second > 60)
710 return 0;
711
712 {
713 size_t pos = 0;
714 char number_buf[5]; /* enough for a four-digit year */
715
716 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
717 # define APPEND_NUMBER(format, value)\
718 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
719 # define APPEND(ch) if (pos < 28) out[pos++] = (ch)
720
721 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
722 APPEND(' ');
723 APPEND_STRING(short_months[(ptime->month - 1)]);
724 APPEND(' ');
725 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
726 APPEND(' ');
727 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
728 APPEND(':');
729 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
730 APPEND(':');
731 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
732 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
733 PNG_UNUSED (pos)
734
735 # undef APPEND
736 # undef APPEND_NUMBER
737 # undef APPEND_STRING
738 }
739
740 return 1;
741 }
742
743 # if PNG_LIBPNG_VER < 10700
744 /* To do: remove the following from libpng-1.7 */
745 /* Original API that uses a private buffer in png_struct.
746 * Deprecated because it causes png_struct to carry a spurious temporary
747 * buffer (png_struct::time_buffer), better to have the caller pass this in.
748 */
749 png_const_charp PNGAPI
png_convert_to_rfc1123(png_structrp png_ptr,png_const_timep ptime)750 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
751 {
752 if (png_ptr != NULL)
753 {
754 /* The only failure above if png_ptr != NULL is from an invalid ptime */
755 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
756 png_warning(png_ptr, "Ignoring invalid time value");
757
758 else
759 return png_ptr->time_buffer;
760 }
761
762 return NULL;
763 }
764 # endif /* LIBPNG_VER < 10700 */
765 # endif /* TIME_RFC1123 */
766
767 #endif /* READ || WRITE */
768
769 png_const_charp PNGAPI
png_get_copyright(png_const_structrp png_ptr)770 png_get_copyright(png_const_structrp png_ptr)
771 {
772 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
773 #ifdef PNG_STRING_COPYRIGHT
774 return PNG_STRING_COPYRIGHT
775 #else
776 # ifdef __STDC__
777 return PNG_STRING_NEWLINE \
778 "libpng version 1.6.26+apng - October 20, 2016" PNG_STRING_NEWLINE \
779 "Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson" \
780 PNG_STRING_NEWLINE \
781 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
782 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
783 PNG_STRING_NEWLINE \
784 "Portions Copyright (c) 2006-2007 Andrew Smith" PNG_STRING_NEWLINE \
785 "Portions Copyright (c) 2008-2016 Max Stepin" PNG_STRING_NEWLINE ;
786 # else
787 return "libpng version 1.6.26+apng - October 20, 2016\
788 Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson\
789 Copyright (c) 1996-1997 Andreas Dilger\
790 Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.\
791 Portions Copyright (c) 2006-2007 Andrew Smith\
792 Portions Copyright (c) 2008-2016 Max Stepin";
793 # endif
794 #endif
795 }
796
797 /* The following return the library version as a short string in the
798 * format 1.0.0 through 99.99.99zz. To get the version of *.h files
799 * used with your application, print out PNG_LIBPNG_VER_STRING, which
800 * is defined in png.h.
801 * Note: now there is no difference between png_get_libpng_ver() and
802 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
803 * it is guaranteed that png.c uses the correct version of png.h.
804 */
805 png_const_charp PNGAPI
806 png_get_libpng_ver(png_const_structrp png_ptr)
807 {
808 /* Version of *.c files used when building libpng */
809 return png_get_header_ver(png_ptr);
810 }
811
812 png_const_charp PNGAPI
813 png_get_header_ver(png_const_structrp png_ptr)
814 {
815 /* Version of *.h files used when building libpng */
816 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
817 return PNG_LIBPNG_VER_STRING;
818 }
819
820 png_const_charp PNGAPI
821 png_get_header_version(png_const_structrp png_ptr)
822 {
823 /* Returns longer string containing both version and date */
824 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
825 #ifdef __STDC__
826 return PNG_HEADER_VERSION_STRING
827 # ifndef PNG_READ_SUPPORTED
828 " (NO READ SUPPORT)"
829 # endif
830 PNG_STRING_NEWLINE;
831 #else
832 return PNG_HEADER_VERSION_STRING;
833 #endif
834 }
835
836 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
837 /* NOTE: this routine is not used internally! */
838 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth
839 * large of png_color. This lets grayscale images be treated as
840 * paletted. Most useful for gamma correction and simplification
841 * of code. This API is not used internally.
842 */
843 void PNGAPI
844 png_build_grayscale_palette(int bit_depth, png_colorp palette)
845 {
846 int num_palette;
847 int color_inc;
848 int i;
849 int v;
850
851 png_debug(1, "in png_do_build_grayscale_palette");
852
853 if (palette == NULL)
854 return;
855
856 switch (bit_depth)
857 {
858 case 1:
859 num_palette = 2;
860 color_inc = 0xff;
861 break;
862
863 case 2:
864 num_palette = 4;
865 color_inc = 0x55;
866 break;
867
868 case 4:
869 num_palette = 16;
870 color_inc = 0x11;
871 break;
872
873 case 8:
874 num_palette = 256;
875 color_inc = 1;
876 break;
877
878 default:
879 num_palette = 0;
880 color_inc = 0;
881 break;
882 }
883
884 for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
885 {
886 palette[i].red = (png_byte)(v & 0xff);
887 palette[i].green = (png_byte)(v & 0xff);
888 palette[i].blue = (png_byte)(v & 0xff);
889 }
890 }
891 #endif
892
893 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
894 int PNGAPI
895 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
896 {
897 /* Check chunk_name and return "keep" value if it's on the list, else 0 */
898 png_const_bytep p, p_end;
899
900 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
901 return PNG_HANDLE_CHUNK_AS_DEFAULT;
902
903 p_end = png_ptr->chunk_list;
904 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
905
906 /* The code is the fifth byte after each four byte string. Historically this
907 * code was always searched from the end of the list, this is no longer
908 * necessary because the 'set' routine handles duplicate entries correcty.
909 */
910 do /* num_chunk_list > 0, so at least one */
911 {
912 p -= 5;
913
914 if (memcmp(chunk_name, p, 4) == 0)
915 return p[4];
916 }
917 while (p > p_end);
918
919 /* This means that known chunks should be processed and unknown chunks should
920 * be handled according to the value of png_ptr->unknown_default; this can be
921 * confusing because, as a result, there are two levels of defaulting for
922 * unknown chunks.
923 */
924 return PNG_HANDLE_CHUNK_AS_DEFAULT;
925 }
926
927 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
928 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
929 int /* PRIVATE */
930 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
931 {
932 png_byte chunk_string[5];
933
934 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
935 return png_handle_as_unknown(png_ptr, chunk_string);
936 }
937 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
938 #endif /* SET_UNKNOWN_CHUNKS */
939
940 #ifdef PNG_READ_SUPPORTED
941 /* This function, added to libpng-1.0.6g, is untested. */
942 int PNGAPI
943 png_reset_zstream(png_structrp png_ptr)
944 {
945 if (png_ptr == NULL)
946 return Z_STREAM_ERROR;
947
948 /* WARNING: this resets the window bits to the maximum! */
949 return (inflateReset(&png_ptr->zstream));
950 }
951 #endif /* READ */
952
953 /* This function was added to libpng-1.0.7 */
954 png_uint_32 PNGAPI
955 png_access_version_number(void)
956 {
957 /* Version of *.c files used when building libpng */
958 return((png_uint_32)PNG_LIBPNG_VER);
959 }
960
961 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
962 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
963 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
964 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
965 */
966 void /* PRIVATE */
967 png_zstream_error(png_structrp png_ptr, int ret)
968 {
969 /* Translate 'ret' into an appropriate error string, priority is given to the
970 * one in zstream if set. This always returns a string, even in cases like
971 * Z_OK or Z_STREAM_END where the error code is a success code.
972 */
973 if (png_ptr->zstream.msg == NULL) switch (ret)
974 {
975 default:
976 case Z_OK:
977 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
978 break;
979
980 case Z_STREAM_END:
981 /* Normal exit */
982 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
983 break;
984
985 case Z_NEED_DICT:
986 /* This means the deflate stream did not have a dictionary; this
987 * indicates a bogus PNG.
988 */
989 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
990 break;
991
992 case Z_ERRNO:
993 /* gz APIs only: should not happen */
994 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
995 break;
996
997 case Z_STREAM_ERROR:
998 /* internal libpng error */
999 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1000 break;
1001
1002 case Z_DATA_ERROR:
1003 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1004 break;
1005
1006 case Z_MEM_ERROR:
1007 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1008 break;
1009
1010 case Z_BUF_ERROR:
1011 /* End of input or output; not a problem if the caller is doing
1012 * incremental read or write.
1013 */
1014 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1015 break;
1016
1017 case Z_VERSION_ERROR:
1018 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1019 break;
1020
1021 case PNG_UNEXPECTED_ZLIB_RETURN:
1022 /* Compile errors here mean that zlib now uses the value co-opted in
1023 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1024 * and change pngpriv.h. Note that this message is "... return",
1025 * whereas the default/Z_OK one is "... return code".
1026 */
1027 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1028 break;
1029 }
1030 }
1031
1032 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1033 * at libpng 1.5.5!
1034 */
1035
1036 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1037 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1038 static int
1039 png_colorspace_check_gamma(png_const_structrp png_ptr,
1040 png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1041 /* This is called to check a new gamma value against an existing one. The
1042 * routine returns false if the new gamma value should not be written.
1043 *
1044 * 'from' says where the new gamma value comes from:
1045 *
1046 * 0: the new gamma value is the libpng estimate for an ICC profile
1047 * 1: the new gamma value comes from a gAMA chunk
1048 * 2: the new gamma value comes from an sRGB chunk
1049 */
1050 {
1051 png_fixed_point gtest;
1052
1053 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1054 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 ||
1055 png_gamma_significant(gtest) != 0))
1056 {
1057 /* Either this is an sRGB image, in which case the calculated gamma
1058 * approximation should match, or this is an image with a profile and the
1059 * value libpng calculates for the gamma of the profile does not match the
1060 * value recorded in the file. The former, sRGB, case is an error, the
1061 * latter is just a warning.
1062 */
1063 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1064 {
1065 png_chunk_report(png_ptr, "gamma value does not match sRGB",
1066 PNG_CHUNK_ERROR);
1067 /* Do not overwrite an sRGB value */
1068 return from == 2;
1069 }
1070
1071 else /* sRGB tag not involved */
1072 {
1073 png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1074 PNG_CHUNK_WARNING);
1075 return from == 1;
1076 }
1077 }
1078
1079 return 1;
1080 }
1081
1082 void /* PRIVATE */
1083 png_colorspace_set_gamma(png_const_structrp png_ptr,
1084 png_colorspacerp colorspace, png_fixed_point gAMA)
1085 {
1086 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1087 * occur. Since the fixed point representation is asymetrical it is
1088 * possible for 1/gamma to overflow the limit of 21474 and this means the
1089 * gamma value must be at least 5/100000 and hence at most 20000.0. For
1090 * safety the limits here are a little narrower. The values are 0.00016 to
1091 * 6250.0, which are truly ridiculous gamma values (and will produce
1092 * displays that are all black or all white.)
1093 *
1094 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1095 * handling code, which only required the value to be >0.
1096 */
1097 png_const_charp errmsg;
1098
1099 if (gAMA < 16 || gAMA > 625000000)
1100 errmsg = "gamma value out of range";
1101
1102 # ifdef PNG_READ_gAMA_SUPPORTED
1103 /* Allow the application to set the gamma value more than once */
1104 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1105 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1106 errmsg = "duplicate";
1107 # endif
1108
1109 /* Do nothing if the colorspace is already invalid */
1110 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1111 return;
1112
1113 else
1114 {
1115 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1116 1/*from gAMA*/) != 0)
1117 {
1118 /* Store this gamma value. */
1119 colorspace->gamma = gAMA;
1120 colorspace->flags |=
1121 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1122 }
1123
1124 /* At present if the check_gamma test fails the gamma of the colorspace is
1125 * not updated however the colorspace is not invalidated. This
1126 * corresponds to the case where the existing gamma comes from an sRGB
1127 * chunk or profile. An error message has already been output.
1128 */
1129 return;
1130 }
1131
1132 /* Error exit - errmsg has been set. */
1133 colorspace->flags |= PNG_COLORSPACE_INVALID;
1134 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1135 }
1136
1137 void /* PRIVATE */
1138 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1139 {
1140 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1141 {
1142 /* Everything is invalid */
1143 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1144 PNG_INFO_iCCP);
1145
1146 # ifdef PNG_COLORSPACE_SUPPORTED
1147 /* Clean up the iCCP profile now if it won't be used. */
1148 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1149 # else
1150 PNG_UNUSED(png_ptr)
1151 # endif
1152 }
1153
1154 else
1155 {
1156 # ifdef PNG_COLORSPACE_SUPPORTED
1157 /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1158 * it; this allows a PNG to contain a profile which matches sRGB and
1159 * yet still have that profile retrievable by the application.
1160 */
1161 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1162 info_ptr->valid |= PNG_INFO_sRGB;
1163
1164 else
1165 info_ptr->valid &= ~PNG_INFO_sRGB;
1166
1167 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1168 info_ptr->valid |= PNG_INFO_cHRM;
1169
1170 else
1171 info_ptr->valid &= ~PNG_INFO_cHRM;
1172 # endif
1173
1174 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1175 info_ptr->valid |= PNG_INFO_gAMA;
1176
1177 else
1178 info_ptr->valid &= ~PNG_INFO_gAMA;
1179 }
1180 }
1181
1182 #ifdef PNG_READ_SUPPORTED
1183 void /* PRIVATE */
1184 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1185 {
1186 if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1187 return;
1188
1189 info_ptr->colorspace = png_ptr->colorspace;
1190 png_colorspace_sync_info(png_ptr, info_ptr);
1191 }
1192 #endif
1193 #endif /* GAMMA */
1194
1195 #ifdef PNG_COLORSPACE_SUPPORTED
1196 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1197 * cHRM, as opposed to using chromaticities. These internal APIs return
1198 * non-zero on a parameter error. The X, Y and Z values are required to be
1199 * positive and less than 1.0.
1200 */
1201 static int
1202 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1203 {
1204 png_int_32 d, dwhite, whiteX, whiteY;
1205
1206 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1207 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1208 return 1;
1209 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1210 return 1;
1211 dwhite = d;
1212 whiteX = XYZ->red_X;
1213 whiteY = XYZ->red_Y;
1214
1215 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1216 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1217 return 1;
1218 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1219 return 1;
1220 dwhite += d;
1221 whiteX += XYZ->green_X;
1222 whiteY += XYZ->green_Y;
1223
1224 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1225 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1226 return 1;
1227 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1228 return 1;
1229 dwhite += d;
1230 whiteX += XYZ->blue_X;
1231 whiteY += XYZ->blue_Y;
1232
1233 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1234 * thus:
1235 */
1236 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1237 return 1;
1238 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1239 return 1;
1240
1241 return 0;
1242 }
1243
1244 static int
1245 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1246 {
1247 png_fixed_point red_inverse, green_inverse, blue_scale;
1248 png_fixed_point left, right, denominator;
1249
1250 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically
1251 * have end points with 0 tristimulus values (these are impossible end
1252 * points, but they are used to cover the possible colors). We check
1253 * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1254 */
1255 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;
1256 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1257 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1258 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1259 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;
1260 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1261 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1262 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1263
1264 /* The reverse calculation is more difficult because the original tristimulus
1265 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1266 * derived values were recorded in the cHRM chunk;
1267 * (red,green,blue,white)x(x,y). This loses one degree of freedom and
1268 * therefore an arbitrary ninth value has to be introduced to undo the
1269 * original transformations.
1270 *
1271 * Think of the original end-points as points in (X,Y,Z) space. The
1272 * chromaticity values (c) have the property:
1273 *
1274 * C
1275 * c = ---------
1276 * X + Y + Z
1277 *
1278 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1279 * three chromaticity values (x,y,z) for each end-point obey the
1280 * relationship:
1281 *
1282 * x + y + z = 1
1283 *
1284 * This describes the plane in (X,Y,Z) space that intersects each axis at the
1285 * value 1.0; call this the chromaticity plane. Thus the chromaticity
1286 * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1287 * and chromaticity is the intersection of the vector from the origin to the
1288 * (X,Y,Z) value with the chromaticity plane.
1289 *
1290 * To fully invert the chromaticity calculation we would need the three
1291 * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1292 * were not recorded. Instead we calculated the reference white (X,Y,Z) and
1293 * recorded the chromaticity of this. The reference white (X,Y,Z) would have
1294 * given all three of the scale factors since:
1295 *
1296 * color-C = color-c * color-scale
1297 * white-C = red-C + green-C + blue-C
1298 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1299 *
1300 * But cHRM records only white-x and white-y, so we have lost the white scale
1301 * factor:
1302 *
1303 * white-C = white-c*white-scale
1304 *
1305 * To handle this the inverse transformation makes an arbitrary assumption
1306 * about white-scale:
1307 *
1308 * Assume: white-Y = 1.0
1309 * Hence: white-scale = 1/white-y
1310 * Or: red-Y + green-Y + blue-Y = 1.0
1311 *
1312 * Notice the last statement of the assumption gives an equation in three of
1313 * the nine values we want to calculate. 8 more equations come from the
1314 * above routine as summarised at the top above (the chromaticity
1315 * calculation):
1316 *
1317 * Given: color-x = color-X / (color-X + color-Y + color-Z)
1318 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1319 *
1320 * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1321 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1322 * determinants, however this is not as bad as it seems because only 28 of
1323 * the total of 90 terms in the various matrices are non-zero. Nevertheless
1324 * Cramer's rule is notoriously numerically unstable because the determinant
1325 * calculation involves the difference of large, but similar, numbers. It is
1326 * difficult to be sure that the calculation is stable for real world values
1327 * and it is certain that it becomes unstable where the end points are close
1328 * together.
1329 *
1330 * So this code uses the perhaps slightly less optimal but more
1331 * understandable and totally obvious approach of calculating color-scale.
1332 *
1333 * This algorithm depends on the precision in white-scale and that is
1334 * (1/white-y), so we can immediately see that as white-y approaches 0 the
1335 * accuracy inherent in the cHRM chunk drops off substantially.
1336 *
1337 * libpng arithmetic: a simple inversion of the above equations
1338 * ------------------------------------------------------------
1339 *
1340 * white_scale = 1/white-y
1341 * white-X = white-x * white-scale
1342 * white-Y = 1.0
1343 * white-Z = (1 - white-x - white-y) * white_scale
1344 *
1345 * white-C = red-C + green-C + blue-C
1346 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1347 *
1348 * This gives us three equations in (red-scale,green-scale,blue-scale) where
1349 * all the coefficients are now known:
1350 *
1351 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1352 * = white-x/white-y
1353 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1354 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1355 * = (1 - white-x - white-y)/white-y
1356 *
1357 * In the last equation color-z is (1 - color-x - color-y) so we can add all
1358 * three equations together to get an alternative third:
1359 *
1360 * red-scale + green-scale + blue-scale = 1/white-y = white-scale
1361 *
1362 * So now we have a Cramer's rule solution where the determinants are just
1363 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1364 * multiplication of three coefficients so we can't guarantee to avoid
1365 * overflow in the libpng fixed point representation. Using Cramer's rule in
1366 * floating point is probably a good choice here, but it's not an option for
1367 * fixed point. Instead proceed to simplify the first two equations by
1368 * eliminating what is likely to be the largest value, blue-scale:
1369 *
1370 * blue-scale = white-scale - red-scale - green-scale
1371 *
1372 * Hence:
1373 *
1374 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1375 * (white-x - blue-x)*white-scale
1376 *
1377 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1378 * 1 - blue-y*white-scale
1379 *
1380 * And now we can trivially solve for (red-scale,green-scale):
1381 *
1382 * green-scale =
1383 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1384 * -----------------------------------------------------------
1385 * green-x - blue-x
1386 *
1387 * red-scale =
1388 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1389 * ---------------------------------------------------------
1390 * red-y - blue-y
1391 *
1392 * Hence:
1393 *
1394 * red-scale =
1395 * ( (green-x - blue-x) * (white-y - blue-y) -
1396 * (green-y - blue-y) * (white-x - blue-x) ) / white-y
1397 * -------------------------------------------------------------------------
1398 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1399 *
1400 * green-scale =
1401 * ( (red-y - blue-y) * (white-x - blue-x) -
1402 * (red-x - blue-x) * (white-y - blue-y) ) / white-y
1403 * -------------------------------------------------------------------------
1404 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1405 *
1406 * Accuracy:
1407 * The input values have 5 decimal digits of accuracy. The values are all in
1408 * the range 0 < value < 1, so simple products are in the same range but may
1409 * need up to 10 decimal digits to preserve the original precision and avoid
1410 * underflow. Because we are using a 32-bit signed representation we cannot
1411 * match this; the best is a little over 9 decimal digits, less than 10.
1412 *
1413 * The approach used here is to preserve the maximum precision within the
1414 * signed representation. Because the red-scale calculation above uses the
1415 * difference between two products of values that must be in the range -1..+1
1416 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The
1417 * factor is irrelevant in the calculation because it is applied to both
1418 * numerator and denominator.
1419 *
1420 * Note that the values of the differences of the products of the
1421 * chromaticities in the above equations tend to be small, for example for
1422 * the sRGB chromaticities they are:
1423 *
1424 * red numerator: -0.04751
1425 * green numerator: -0.08788
1426 * denominator: -0.2241 (without white-y multiplication)
1427 *
1428 * The resultant Y coefficients from the chromaticities of some widely used
1429 * color space definitions are (to 15 decimal places):
1430 *
1431 * sRGB
1432 * 0.212639005871510 0.715168678767756 0.072192315360734
1433 * Kodak ProPhoto
1434 * 0.288071128229293 0.711843217810102 0.000085653960605
1435 * Adobe RGB
1436 * 0.297344975250536 0.627363566255466 0.075291458493998
1437 * Adobe Wide Gamut RGB
1438 * 0.258728243040113 0.724682314948566 0.016589442011321
1439 */
1440 /* By the argument, above overflow should be impossible here. The return
1441 * value of 2 indicates an internal error to the caller.
1442 */
1443 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1444 return 2;
1445 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1446 return 2;
1447 denominator = left - right;
1448
1449 /* Now find the red numerator. */
1450 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1451 return 2;
1452 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1453 return 2;
1454
1455 /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1456 * chunk values. This calculation actually returns the reciprocal of the
1457 * scale value because this allows us to delay the multiplication of white-y
1458 * into the denominator, which tends to produce a small number.
1459 */
1460 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1461 red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1462 return 1;
1463
1464 /* Similarly for green_inverse: */
1465 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1466 return 2;
1467 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1468 return 2;
1469 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1470 green_inverse <= xy->whitey)
1471 return 1;
1472
1473 /* And the blue scale, the checks above guarantee this can't overflow but it
1474 * can still produce 0 for extreme cHRM values.
1475 */
1476 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1477 png_reciprocal(green_inverse);
1478 if (blue_scale <= 0)
1479 return 1;
1480
1481
1482 /* And fill in the png_XYZ: */
1483 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1484 return 1;
1485 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1486 return 1;
1487 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1488 red_inverse) == 0)
1489 return 1;
1490
1491 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1492 return 1;
1493 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1494 return 1;
1495 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1496 green_inverse) == 0)
1497 return 1;
1498
1499 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1500 return 1;
1501 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1502 return 1;
1503 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1504 PNG_FP_1) == 0)
1505 return 1;
1506
1507 return 0; /*success*/
1508 }
1509
1510 static int
1511 png_XYZ_normalize(png_XYZ *XYZ)
1512 {
1513 png_int_32 Y;
1514
1515 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1516 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1517 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1518 return 1;
1519
1520 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1521 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1522 * relying on addition of two positive values producing a negative one is not
1523 * safe.
1524 */
1525 Y = XYZ->red_Y;
1526 if (0x7fffffff - Y < XYZ->green_X)
1527 return 1;
1528 Y += XYZ->green_Y;
1529 if (0x7fffffff - Y < XYZ->blue_X)
1530 return 1;
1531 Y += XYZ->blue_Y;
1532
1533 if (Y != PNG_FP_1)
1534 {
1535 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1536 return 1;
1537 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1538 return 1;
1539 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1540 return 1;
1541
1542 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1543 return 1;
1544 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1545 return 1;
1546 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1547 return 1;
1548
1549 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1550 return 1;
1551 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1552 return 1;
1553 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1554 return 1;
1555 }
1556
1557 return 0;
1558 }
1559
1560 static int
1561 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1562 {
1563 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1564 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1565 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1566 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) ||
1567 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) ||
1568 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1569 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1570 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) ||
1571 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta))
1572 return 0;
1573 return 1;
1574 }
1575
1576 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1577 * chunk chromaticities. Earlier checks used to simply look for the overflow
1578 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1579 * because the chromaticity values are not all distinct.) Despite this it is
1580 * theoretically possible to produce chromaticities that are apparently valid
1581 * but that rapidly degrade to invalid, potentially crashing, sets because of
1582 * arithmetic inaccuracies when calculations are performed on them. The new
1583 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1584 * within a small percentage of the original.
1585 */
1586 static int
1587 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1588 {
1589 int result;
1590 png_xy xy_test;
1591
1592 /* As a side-effect this routine also returns the XYZ endpoints. */
1593 result = png_XYZ_from_xy(XYZ, xy);
1594 if (result != 0)
1595 return result;
1596
1597 result = png_xy_from_XYZ(&xy_test, XYZ);
1598 if (result != 0)
1599 return result;
1600
1601 if (png_colorspace_endpoints_match(xy, &xy_test,
1602 5/*actually, the math is pretty accurate*/) != 0)
1603 return 0;
1604
1605 /* Too much slip */
1606 return 1;
1607 }
1608
1609 /* This is the check going the other way. The XYZ is modified to normalize it
1610 * (another side-effect) and the xy chromaticities are returned.
1611 */
1612 static int
1613 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1614 {
1615 int result;
1616 png_XYZ XYZtemp;
1617
1618 result = png_XYZ_normalize(XYZ);
1619 if (result != 0)
1620 return result;
1621
1622 result = png_xy_from_XYZ(xy, XYZ);
1623 if (result != 0)
1624 return result;
1625
1626 XYZtemp = *XYZ;
1627 return png_colorspace_check_xy(&XYZtemp, xy);
1628 }
1629
1630 /* Used to check for an endpoint match against sRGB */
1631 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1632 {
1633 /* color x y */
1634 /* red */ 64000, 33000,
1635 /* green */ 30000, 60000,
1636 /* blue */ 15000, 6000,
1637 /* white */ 31270, 32900
1638 };
1639
1640 static int
1641 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1642 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1643 int preferred)
1644 {
1645 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1646 return 0;
1647
1648 /* The consistency check is performed on the chromaticities; this factors out
1649 * variations because of the normalization (or not) of the end point Y
1650 * values.
1651 */
1652 if (preferred < 2 &&
1653 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1654 {
1655 /* The end points must be reasonably close to any we already have. The
1656 * following allows an error of up to +/-.001
1657 */
1658 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1659 100) == 0)
1660 {
1661 colorspace->flags |= PNG_COLORSPACE_INVALID;
1662 png_benign_error(png_ptr, "inconsistent chromaticities");
1663 return 0; /* failed */
1664 }
1665
1666 /* Only overwrite with preferred values */
1667 if (preferred == 0)
1668 return 1; /* ok, but no change */
1669 }
1670
1671 colorspace->end_points_xy = *xy;
1672 colorspace->end_points_XYZ = *XYZ;
1673 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1674
1675 /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1676 * on this test.
1677 */
1678 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1679 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1680
1681 else
1682 colorspace->flags &= PNG_COLORSPACE_CANCEL(
1683 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1684
1685 return 2; /* ok and changed */
1686 }
1687
1688 int /* PRIVATE */
1689 png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1690 png_colorspacerp colorspace, const png_xy *xy, int preferred)
1691 {
1692 /* We must check the end points to ensure they are reasonable - in the past
1693 * color management systems have crashed as a result of getting bogus
1694 * colorant values, while this isn't the fault of libpng it is the
1695 * responsibility of libpng because PNG carries the bomb and libpng is in a
1696 * position to protect against it.
1697 */
1698 png_XYZ XYZ;
1699
1700 switch (png_colorspace_check_xy(&XYZ, xy))
1701 {
1702 case 0: /* success */
1703 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1704 preferred);
1705
1706 case 1:
1707 /* We can't invert the chromaticities so we can't produce value XYZ
1708 * values. Likely as not a color management system will fail too.
1709 */
1710 colorspace->flags |= PNG_COLORSPACE_INVALID;
1711 png_benign_error(png_ptr, "invalid chromaticities");
1712 break;
1713
1714 default:
1715 /* libpng is broken; this should be a warning but if it happens we
1716 * want error reports so for the moment it is an error.
1717 */
1718 colorspace->flags |= PNG_COLORSPACE_INVALID;
1719 png_error(png_ptr, "internal error checking chromaticities");
1720 }
1721
1722 return 0; /* failed */
1723 }
1724
1725 int /* PRIVATE */
1726 png_colorspace_set_endpoints(png_const_structrp png_ptr,
1727 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1728 {
1729 png_XYZ XYZ = *XYZ_in;
1730 png_xy xy;
1731
1732 switch (png_colorspace_check_XYZ(&xy, &XYZ))
1733 {
1734 case 0:
1735 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1736 preferred);
1737
1738 case 1:
1739 /* End points are invalid. */
1740 colorspace->flags |= PNG_COLORSPACE_INVALID;
1741 png_benign_error(png_ptr, "invalid end points");
1742 break;
1743
1744 default:
1745 colorspace->flags |= PNG_COLORSPACE_INVALID;
1746 png_error(png_ptr, "internal error checking chromaticities");
1747 }
1748
1749 return 0; /* failed */
1750 }
1751
1752 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1753 /* Error message generation */
1754 static char
1755 png_icc_tag_char(png_uint_32 byte)
1756 {
1757 byte &= 0xff;
1758 if (byte >= 32 && byte <= 126)
1759 return (char)byte;
1760 else
1761 return '?';
1762 }
1763
1764 static void
1765 png_icc_tag_name(char *name, png_uint_32 tag)
1766 {
1767 name[0] = '\'';
1768 name[1] = png_icc_tag_char(tag >> 24);
1769 name[2] = png_icc_tag_char(tag >> 16);
1770 name[3] = png_icc_tag_char(tag >> 8);
1771 name[4] = png_icc_tag_char(tag );
1772 name[5] = '\'';
1773 }
1774
1775 static int
1776 is_ICC_signature_char(png_alloc_size_t it)
1777 {
1778 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1779 (it >= 97 && it <= 122);
1780 }
1781
1782 static int
1783 is_ICC_signature(png_alloc_size_t it)
1784 {
1785 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1786 is_ICC_signature_char((it >> 16) & 0xff) &&
1787 is_ICC_signature_char((it >> 8) & 0xff) &&
1788 is_ICC_signature_char(it & 0xff);
1789 }
1790
1791 static int
1792 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1793 png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1794 {
1795 size_t pos;
1796 char message[196]; /* see below for calculation */
1797
1798 if (colorspace != NULL)
1799 colorspace->flags |= PNG_COLORSPACE_INVALID;
1800
1801 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1802 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1803 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1804 if (is_ICC_signature(value) != 0)
1805 {
1806 /* So 'value' is at most 4 bytes and the following cast is safe */
1807 png_icc_tag_name(message+pos, (png_uint_32)value);
1808 pos += 6; /* total +8; less than the else clause */
1809 message[pos++] = ':';
1810 message[pos++] = ' ';
1811 }
1812 # ifdef PNG_WARNINGS_SUPPORTED
1813 else
1814 {
1815 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1816
1817 pos = png_safecat(message, (sizeof message), pos,
1818 png_format_number(number, number+(sizeof number),
1819 PNG_NUMBER_FORMAT_x, value));
1820 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1821 }
1822 # endif
1823 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1824 pos = png_safecat(message, (sizeof message), pos, reason);
1825 PNG_UNUSED(pos)
1826
1827 /* This is recoverable, but make it unconditionally an app_error on write to
1828 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1829 * on read, with a warning, but on write unless the app turns off
1830 * application errors the PNG won't be written.)
1831 */
1832 png_chunk_report(png_ptr, message,
1833 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1834
1835 return 0;
1836 }
1837 #endif /* sRGB || iCCP */
1838
1839 #ifdef PNG_sRGB_SUPPORTED
1840 int /* PRIVATE */
1841 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1842 int intent)
1843 {
1844 /* sRGB sets known gamma, end points and (from the chunk) intent. */
1845 /* IMPORTANT: these are not necessarily the values found in an ICC profile
1846 * because ICC profiles store values adapted to a D50 environment; it is
1847 * expected that the ICC profile mediaWhitePointTag will be D50; see the
1848 * checks and code elsewhere to understand this better.
1849 *
1850 * These XYZ values, which are accurate to 5dp, produce rgb to gray
1851 * coefficients of (6968,23435,2366), which are reduced (because they add up
1852 * to 32769 not 32768) to (6968,23434,2366). These are the values that
1853 * libpng has traditionally used (and are the best values given the 15bit
1854 * algorithm used by the rgb to gray code.)
1855 */
1856 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1857 {
1858 /* color X Y Z */
1859 /* red */ 41239, 21264, 1933,
1860 /* green */ 35758, 71517, 11919,
1861 /* blue */ 18048, 7219, 95053
1862 };
1863
1864 /* Do nothing if the colorspace is already invalidated. */
1865 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1866 return 0;
1867
1868 /* Check the intent, then check for existing settings. It is valid for the
1869 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1870 * be consistent with the correct values. If, however, this function is
1871 * called below because an iCCP chunk matches sRGB then it is quite
1872 * conceivable that an older app recorded incorrect gAMA and cHRM because of
1873 * an incorrect calculation based on the values in the profile - this does
1874 * *not* invalidate the profile (though it still produces an error, which can
1875 * be ignored.)
1876 */
1877 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1878 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1879 (unsigned)intent, "invalid sRGB rendering intent");
1880
1881 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1882 colorspace->rendering_intent != intent)
1883 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1884 (unsigned)intent, "inconsistent rendering intents");
1885
1886 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1887 {
1888 png_benign_error(png_ptr, "duplicate sRGB information ignored");
1889 return 0;
1890 }
1891
1892 /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1893 * warn but overwrite the value with the correct one.
1894 */
1895 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1896 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1897 100))
1898 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1899 PNG_CHUNK_ERROR);
1900
1901 /* This check is just done for the error reporting - the routine always
1902 * returns true when the 'from' argument corresponds to sRGB (2).
1903 */
1904 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1905 2/*from sRGB*/);
1906
1907 /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1908 colorspace->rendering_intent = (png_uint_16)intent;
1909 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1910
1911 /* endpoints */
1912 colorspace->end_points_xy = sRGB_xy;
1913 colorspace->end_points_XYZ = sRGB_XYZ;
1914 colorspace->flags |=
1915 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1916
1917 /* gamma */
1918 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1919 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1920
1921 /* Finally record that we have an sRGB profile */
1922 colorspace->flags |=
1923 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1924
1925 return 1; /* set */
1926 }
1927 #endif /* sRGB */
1928
1929 #ifdef PNG_iCCP_SUPPORTED
1930 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value
1931 * is XYZ(0.9642,1.0,0.8249), which scales to:
1932 *
1933 * (63189.8112, 65536, 54060.6464)
1934 */
1935 static const png_byte D50_nCIEXYZ[12] =
1936 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1937
1938 static int /* bool */
1939 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1940 png_const_charp name, png_uint_32 profile_length)
1941 {
1942 if (profile_length < 132)
1943 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1944 "too short");
1945
1946 return 1;
1947 }
1948
1949 #ifdef PNG_READ_iCCP_SUPPORTED
1950 int /* PRIVATE */
1951 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1952 png_const_charp name, png_uint_32 profile_length)
1953 {
1954 if (!icc_check_length(png_ptr, colorspace, name, profile_length))
1955 return 0;
1956
1957 /* This needs to be here because the 'normal' check is in
1958 * png_decompress_chunk, yet this happens after the attempt to
1959 * png_malloc_base the required data. We only need this on read; on write
1960 * the caller supplies the profile buffer so libpng doesn't allocate it. See
1961 * the call to icc_check_length below (the write case).
1962 */
1963 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
1964 else if (png_ptr->user_chunk_malloc_max > 0 &&
1965 png_ptr->user_chunk_malloc_max < profile_length)
1966 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1967 "exceeds application limits");
1968 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
1969 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
1970 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1971 "exceeds libpng limits");
1972 # else /* !SET_USER_LIMITS */
1973 /* This will get compiled out on all 32-bit and better systems. */
1974 else if (PNG_SIZE_MAX < profile_length)
1975 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1976 "exceeds system limits");
1977 # endif /* !SET_USER_LIMITS */
1978
1979 return 1;
1980 }
1981 #endif /* READ_iCCP */
1982
1983 int /* PRIVATE */
1984 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
1985 png_const_charp name, png_uint_32 profile_length,
1986 png_const_bytep profile/* first 132 bytes only */, int color_type)
1987 {
1988 png_uint_32 temp;
1989
1990 /* Length check; this cannot be ignored in this code because profile_length
1991 * is used later to check the tag table, so even if the profile seems over
1992 * long profile_length from the caller must be correct. The caller can fix
1993 * this up on read or write by just passing in the profile header length.
1994 */
1995 temp = png_get_uint_32(profile);
1996 if (temp != profile_length)
1997 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1998 "length does not match profile");
1999
2000 temp = (png_uint_32) (*(profile+8));
2001 if (temp > 3 && (profile_length & 3))
2002 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2003 "invalid length");
2004
2005 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2006 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2007 profile_length < 132+12*temp) /* truncated tag table */
2008 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2009 "tag count too large");
2010
2011 /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2012 * 16 bits.
2013 */
2014 temp = png_get_uint_32(profile+64);
2015 if (temp >= 0xffff) /* The ICC limit */
2016 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2017 "invalid rendering intent");
2018
2019 /* This is just a warning because the profile may be valid in future
2020 * versions.
2021 */
2022 if (temp >= PNG_sRGB_INTENT_LAST)
2023 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2024 "intent outside defined range");
2025
2026 /* At this point the tag table can't be checked because it hasn't necessarily
2027 * been loaded; however, various header fields can be checked. These checks
2028 * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2029 * restricts the profiles that can be passed in an iCCP chunk (they must be
2030 * appropriate to processing PNG data!)
2031 */
2032
2033 /* Data checks (could be skipped). These checks must be independent of the
2034 * version number; however, the version number doesn't accomodate changes in
2035 * the header fields (just the known tags and the interpretation of the
2036 * data.)
2037 */
2038 temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2039 if (temp != 0x61637370)
2040 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2041 "invalid signature");
2042
2043 /* Currently the PCS illuminant/adopted white point (the computational
2044 * white point) are required to be D50,
2045 * however the profile contains a record of the illuminant so perhaps ICC
2046 * expects to be able to change this in the future (despite the rationale in
2047 * the introduction for using a fixed PCS adopted white.) Consequently the
2048 * following is just a warning.
2049 */
2050 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2051 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2052 "PCS illuminant is not D50");
2053
2054 /* The PNG spec requires this:
2055 * "If the iCCP chunk is present, the image samples conform to the colour
2056 * space represented by the embedded ICC profile as defined by the
2057 * International Color Consortium [ICC]. The colour space of the ICC profile
2058 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2059 * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2060 * and 4)."
2061 *
2062 * This checking code ensures the embedded profile (on either read or write)
2063 * conforms to the specification requirements. Notice that an ICC 'gray'
2064 * color-space profile contains the information to transform the monochrome
2065 * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2066 * should be used in preference to the standard libpng K channel replication
2067 * into R, G and B channels.
2068 *
2069 * Previously it was suggested that an RGB profile on grayscale data could be
2070 * handled. However it it is clear that using an RGB profile in this context
2071 * must be an error - there is no specification of what it means. Thus it is
2072 * almost certainly more correct to ignore the profile.
2073 */
2074 temp = png_get_uint_32(profile+16); /* data colour space field */
2075 switch (temp)
2076 {
2077 case 0x52474220: /* 'RGB ' */
2078 if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2079 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2080 "RGB color space not permitted on grayscale PNG");
2081 break;
2082
2083 case 0x47524159: /* 'GRAY' */
2084 if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2085 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2086 "Gray color space not permitted on RGB PNG");
2087 break;
2088
2089 default:
2090 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2091 "invalid ICC profile color space");
2092 }
2093
2094 /* It is up to the application to check that the profile class matches the
2095 * application requirements; the spec provides no guidance, but it's pretty
2096 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2097 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
2098 * cases. Issue an error for device link or abstract profiles - these don't
2099 * contain the records necessary to transform the color-space to anything
2100 * other than the target device (and not even that for an abstract profile).
2101 * Profiles of these classes may not be embedded in images.
2102 */
2103 temp = png_get_uint_32(profile+12); /* profile/device class */
2104 switch (temp)
2105 {
2106 case 0x73636e72: /* 'scnr' */
2107 case 0x6d6e7472: /* 'mntr' */
2108 case 0x70727472: /* 'prtr' */
2109 case 0x73706163: /* 'spac' */
2110 /* All supported */
2111 break;
2112
2113 case 0x61627374: /* 'abst' */
2114 /* May not be embedded in an image */
2115 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2116 "invalid embedded Abstract ICC profile");
2117
2118 case 0x6c696e6b: /* 'link' */
2119 /* DeviceLink profiles cannot be interpreted in a non-device specific
2120 * fashion, if an app uses the AToB0Tag in the profile the results are
2121 * undefined unless the result is sent to the intended device,
2122 * therefore a DeviceLink profile should not be found embedded in a
2123 * PNG.
2124 */
2125 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2126 "unexpected DeviceLink ICC profile class");
2127
2128 case 0x6e6d636c: /* 'nmcl' */
2129 /* A NamedColor profile is also device specific, however it doesn't
2130 * contain an AToB0 tag that is open to misinterpretation. Almost
2131 * certainly it will fail the tests below.
2132 */
2133 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2134 "unexpected NamedColor ICC profile class");
2135 break;
2136
2137 default:
2138 /* To allow for future enhancements to the profile accept unrecognized
2139 * profile classes with a warning, these then hit the test below on the
2140 * tag content to ensure they are backward compatible with one of the
2141 * understood profiles.
2142 */
2143 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2144 "unrecognized ICC profile class");
2145 break;
2146 }
2147
2148 /* For any profile other than a device link one the PCS must be encoded
2149 * either in XYZ or Lab.
2150 */
2151 temp = png_get_uint_32(profile+20);
2152 switch (temp)
2153 {
2154 case 0x58595a20: /* 'XYZ ' */
2155 case 0x4c616220: /* 'Lab ' */
2156 break;
2157
2158 default:
2159 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2160 "unexpected ICC PCS encoding");
2161 }
2162
2163 return 1;
2164 }
2165
2166 int /* PRIVATE */
2167 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2168 png_const_charp name, png_uint_32 profile_length,
2169 png_const_bytep profile /* header plus whole tag table */)
2170 {
2171 png_uint_32 tag_count = png_get_uint_32(profile+128);
2172 png_uint_32 itag;
2173 png_const_bytep tag = profile+132; /* The first tag */
2174
2175 /* First scan all the tags in the table and add bits to the icc_info value
2176 * (temporarily in 'tags').
2177 */
2178 for (itag=0; itag < tag_count; ++itag, tag += 12)
2179 {
2180 png_uint_32 tag_id = png_get_uint_32(tag+0);
2181 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2182 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2183
2184 /* The ICC specification does not exclude zero length tags, therefore the
2185 * start might actually be anywhere if there is no data, but this would be
2186 * a clear abuse of the intent of the standard so the start is checked for
2187 * being in range. All defined tag types have an 8 byte header - a 4 byte
2188 * type signature then 0.
2189 */
2190 if ((tag_start & 3) != 0)
2191 {
2192 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this, it is
2193 * only a warning here because libpng does not care about the
2194 * alignment.
2195 */
2196 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2197 "ICC profile tag start not a multiple of 4");
2198 }
2199
2200 /* This is a hard error; potentially it can cause read outside the
2201 * profile.
2202 */
2203 if (tag_start > profile_length || tag_length > profile_length - tag_start)
2204 return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2205 "ICC profile tag outside profile");
2206 }
2207
2208 return 1; /* success, maybe with warnings */
2209 }
2210
2211 #ifdef PNG_sRGB_SUPPORTED
2212 #if PNG_sRGB_PROFILE_CHECKS >= 0
2213 /* Information about the known ICC sRGB profiles */
2214 static const struct
2215 {
2216 png_uint_32 adler, crc, length;
2217 png_uint_32 md5[4];
2218 png_byte have_md5;
2219 png_byte is_broken;
2220 png_uint_16 intent;
2221
2222 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2223 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2224 { adler, crc, length, md5, broke, intent },
2225
2226 } png_sRGB_checks[] =
2227 {
2228 /* This data comes from contrib/tools/checksum-icc run on downloads of
2229 * all four ICC sRGB profiles from www.color.org.
2230 */
2231 /* adler32, crc32, MD5[4], intent, date, length, file-name */
2232 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2233 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2234 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2235
2236 /* ICC sRGB v2 perceptual no black-compensation: */
2237 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2238 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2239 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2240
2241 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2242 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2243 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2244
2245 /* ICC sRGB v4 perceptual */
2246 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2247 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2248 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2249
2250 /* The following profiles have no known MD5 checksum. If there is a match
2251 * on the (empty) MD5 the other fields are used to attempt a match and
2252 * a warning is produced. The first two of these profiles have a 'cprt' tag
2253 * which suggests that they were also made by Hewlett Packard.
2254 */
2255 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2256 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2257 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2258
2259 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2260 * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2261 * so the white point is recorded as the un-adapted value.) The profiles
2262 * below only differ in one byte - the intent - and are basically the same as
2263 * the previous profile except for the mediaWhitePointTag error and a missing
2264 * chromaticAdaptationTag.
2265 */
2266 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2267 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2268 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2269
2270 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2271 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2272 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2273 };
2274
2275 static int
2276 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2277 png_const_bytep profile, uLong adler)
2278 {
2279 /* The quick check is to verify just the MD5 signature and trust the
2280 * rest of the data. Because the profile has already been verified for
2281 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2282 * field too, so if the profile has been edited with an intent not defined
2283 * by sRGB (but maybe defined by a later ICC specification) the read of
2284 * the profile will fail at that point.
2285 */
2286
2287 png_uint_32 length = 0;
2288 png_uint_32 intent = 0x10000; /* invalid */
2289 #if PNG_sRGB_PROFILE_CHECKS > 1
2290 uLong crc = 0; /* the value for 0 length data */
2291 #endif
2292 unsigned int i;
2293
2294 #ifdef PNG_SET_OPTION_SUPPORTED
2295 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2296 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2297 PNG_OPTION_ON)
2298 return 0;
2299 #endif
2300
2301 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2302 {
2303 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2304 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2305 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2306 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2307 {
2308 /* This may be one of the old HP profiles without an MD5, in that
2309 * case we can only use the length and Adler32 (note that these
2310 * are not used by default if there is an MD5!)
2311 */
2312 # if PNG_sRGB_PROFILE_CHECKS == 0
2313 if (png_sRGB_checks[i].have_md5 != 0)
2314 return 1+png_sRGB_checks[i].is_broken;
2315 # endif
2316
2317 /* Profile is unsigned or more checks have been configured in. */
2318 if (length == 0)
2319 {
2320 length = png_get_uint_32(profile);
2321 intent = png_get_uint_32(profile+64);
2322 }
2323
2324 /* Length *and* intent must match */
2325 if (length == (png_uint_32) png_sRGB_checks[i].length &&
2326 intent == (png_uint_32) png_sRGB_checks[i].intent)
2327 {
2328 /* Now calculate the adler32 if not done already. */
2329 if (adler == 0)
2330 {
2331 adler = adler32(0, NULL, 0);
2332 adler = adler32(adler, profile, length);
2333 }
2334
2335 if (adler == png_sRGB_checks[i].adler)
2336 {
2337 /* These basic checks suggest that the data has not been
2338 * modified, but if the check level is more than 1 perform
2339 * our own crc32 checksum on the data.
2340 */
2341 # if PNG_sRGB_PROFILE_CHECKS > 1
2342 if (crc == 0)
2343 {
2344 crc = crc32(0, NULL, 0);
2345 crc = crc32(crc, profile, length);
2346 }
2347
2348 /* So this check must pass for the 'return' below to happen.
2349 */
2350 if (crc == png_sRGB_checks[i].crc)
2351 # endif
2352 {
2353 if (png_sRGB_checks[i].is_broken != 0)
2354 {
2355 /* These profiles are known to have bad data that may cause
2356 * problems if they are used, therefore attempt to
2357 * discourage their use, skip the 'have_md5' warning below,
2358 * which is made irrelevant by this error.
2359 */
2360 png_chunk_report(png_ptr, "known incorrect sRGB profile",
2361 PNG_CHUNK_ERROR);
2362 }
2363
2364 /* Warn that this being done; this isn't even an error since
2365 * the profile is perfectly valid, but it would be nice if
2366 * people used the up-to-date ones.
2367 */
2368 else if (png_sRGB_checks[i].have_md5 == 0)
2369 {
2370 png_chunk_report(png_ptr,
2371 "out-of-date sRGB profile with no signature",
2372 PNG_CHUNK_WARNING);
2373 }
2374
2375 return 1+png_sRGB_checks[i].is_broken;
2376 }
2377 }
2378
2379 # if PNG_sRGB_PROFILE_CHECKS > 0
2380 /* The signature matched, but the profile had been changed in some
2381 * way. This probably indicates a data error or uninformed hacking.
2382 * Fall through to "no match".
2383 */
2384 png_chunk_report(png_ptr,
2385 "Not recognizing known sRGB profile that has been edited",
2386 PNG_CHUNK_WARNING);
2387 break;
2388 # endif
2389 }
2390 }
2391 }
2392
2393 return 0; /* no match */
2394 }
2395
2396 void /* PRIVATE */
2397 png_icc_set_sRGB(png_const_structrp png_ptr,
2398 png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2399 {
2400 /* Is this profile one of the known ICC sRGB profiles? If it is, just set
2401 * the sRGB information.
2402 */
2403 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2404 (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2405 (int)/*already checked*/png_get_uint_32(profile+64));
2406 }
2407 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2408 #endif /* sRGB */
2409
2410 int /* PRIVATE */
2411 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2412 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2413 int color_type)
2414 {
2415 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2416 return 0;
2417
2418 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2419 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2420 color_type) != 0 &&
2421 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2422 profile) != 0)
2423 {
2424 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2425 /* If no sRGB support, don't try storing sRGB information */
2426 png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2427 # endif
2428 return 1;
2429 }
2430
2431 /* Failure case */
2432 return 0;
2433 }
2434 #endif /* iCCP */
2435
2436 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2437 void /* PRIVATE */
2438 png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2439 {
2440 /* Set the rgb_to_gray coefficients from the colorspace. */
2441 if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2442 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2443 {
2444 /* png_set_background has not been called, get the coefficients from the Y
2445 * values of the colorspace colorants.
2446 */
2447 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2448 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2449 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2450 png_fixed_point total = r+g+b;
2451
2452 if (total > 0 &&
2453 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2454 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2455 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2456 r+g+b <= 32769)
2457 {
2458 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
2459 * all of the coefficients were rounded up. Handle this by
2460 * reducing the *largest* coefficient by 1; this matches the
2461 * approach used for the default coefficients in pngrtran.c
2462 */
2463 int add = 0;
2464
2465 if (r+g+b > 32768)
2466 add = -1;
2467 else if (r+g+b < 32768)
2468 add = 1;
2469
2470 if (add != 0)
2471 {
2472 if (g >= r && g >= b)
2473 g += add;
2474 else if (r >= g && r >= b)
2475 r += add;
2476 else
2477 b += add;
2478 }
2479
2480 /* Check for an internal error. */
2481 if (r+g+b != 32768)
2482 png_error(png_ptr,
2483 "internal error handling cHRM coefficients");
2484
2485 else
2486 {
2487 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
2488 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2489 }
2490 }
2491
2492 /* This is a png_error at present even though it could be ignored -
2493 * it should never happen, but it is important that if it does, the
2494 * bug is fixed.
2495 */
2496 else
2497 png_error(png_ptr, "internal error handling cHRM->XYZ");
2498 }
2499 }
2500 #endif /* READ_RGB_TO_GRAY */
2501
2502 #endif /* COLORSPACE */
2503
2504 #ifdef __GNUC__
2505 /* This exists solely to work round a warning from GNU C. */
2506 static int /* PRIVATE */
2507 png_gt(size_t a, size_t b)
2508 {
2509 return a > b;
2510 }
2511 #else
2512 # define png_gt(a,b) ((a) > (b))
2513 #endif
2514
2515 void /* PRIVATE */
2516 png_check_IHDR(png_const_structrp png_ptr,
2517 png_uint_32 width, png_uint_32 height, int bit_depth,
2518 int color_type, int interlace_type, int compression_type,
2519 int filter_type)
2520 {
2521 int error = 0;
2522
2523 /* Check for width and height valid values */
2524 if (width == 0)
2525 {
2526 png_warning(png_ptr, "Image width is zero in IHDR");
2527 error = 1;
2528 }
2529
2530 if (width > PNG_UINT_31_MAX)
2531 {
2532 png_warning(png_ptr, "Invalid image width in IHDR");
2533 error = 1;
2534 }
2535
2536 if (png_gt(((width + 7) & (~7U)),
2537 ((PNG_SIZE_MAX
2538 - 48 /* big_row_buf hack */
2539 - 1) /* filter byte */
2540 / 8) /* 8-byte RGBA pixels */
2541 - 1)) /* extra max_pixel_depth pad */
2542 {
2543 /* The size of the row must be within the limits of this architecture.
2544 * Because the read code can perform arbitrary transformations the
2545 * maximum size is checked here. Because the code in png_read_start_row
2546 * adds extra space "for safety's sake" in several places a conservative
2547 * limit is used here.
2548 *
2549 * NOTE: it would be far better to check the size that is actually used,
2550 * but the effect in the real world is minor and the changes are more
2551 * extensive, therefore much more dangerous and much more difficult to
2552 * write in a way that avoids compiler warnings.
2553 */
2554 png_warning(png_ptr, "Image width is too large for this architecture");
2555 error = 1;
2556 }
2557
2558 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2559 if (width > png_ptr->user_width_max)
2560 #else
2561 if (width > PNG_USER_WIDTH_MAX)
2562 #endif
2563 {
2564 png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2565 error = 1;
2566 }
2567
2568 if (height == 0)
2569 {
2570 png_warning(png_ptr, "Image height is zero in IHDR");
2571 error = 1;
2572 }
2573
2574 if (height > PNG_UINT_31_MAX)
2575 {
2576 png_warning(png_ptr, "Invalid image height in IHDR");
2577 error = 1;
2578 }
2579
2580 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2581 if (height > png_ptr->user_height_max)
2582 #else
2583 if (height > PNG_USER_HEIGHT_MAX)
2584 #endif
2585 {
2586 png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2587 error = 1;
2588 }
2589
2590 /* Check other values */
2591 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2592 bit_depth != 8 && bit_depth != 16)
2593 {
2594 png_warning(png_ptr, "Invalid bit depth in IHDR");
2595 error = 1;
2596 }
2597
2598 if (color_type < 0 || color_type == 1 ||
2599 color_type == 5 || color_type > 6)
2600 {
2601 png_warning(png_ptr, "Invalid color type in IHDR");
2602 error = 1;
2603 }
2604
2605 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2606 ((color_type == PNG_COLOR_TYPE_RGB ||
2607 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2608 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2609 {
2610 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2611 error = 1;
2612 }
2613
2614 if (interlace_type >= PNG_INTERLACE_LAST)
2615 {
2616 png_warning(png_ptr, "Unknown interlace method in IHDR");
2617 error = 1;
2618 }
2619
2620 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2621 {
2622 png_warning(png_ptr, "Unknown compression method in IHDR");
2623 error = 1;
2624 }
2625
2626 #ifdef PNG_MNG_FEATURES_SUPPORTED
2627 /* Accept filter_method 64 (intrapixel differencing) only if
2628 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2629 * 2. Libpng did not read a PNG signature (this filter_method is only
2630 * used in PNG datastreams that are embedded in MNG datastreams) and
2631 * 3. The application called png_permit_mng_features with a mask that
2632 * included PNG_FLAG_MNG_FILTER_64 and
2633 * 4. The filter_method is 64 and
2634 * 5. The color_type is RGB or RGBA
2635 */
2636 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2637 png_ptr->mng_features_permitted != 0)
2638 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2639
2640 if (filter_type != PNG_FILTER_TYPE_BASE)
2641 {
2642 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2643 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2644 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2645 (color_type == PNG_COLOR_TYPE_RGB ||
2646 color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2647 {
2648 png_warning(png_ptr, "Unknown filter method in IHDR");
2649 error = 1;
2650 }
2651
2652 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2653 {
2654 png_warning(png_ptr, "Invalid filter method in IHDR");
2655 error = 1;
2656 }
2657 }
2658
2659 #else
2660 if (filter_type != PNG_FILTER_TYPE_BASE)
2661 {
2662 png_warning(png_ptr, "Unknown filter method in IHDR");
2663 error = 1;
2664 }
2665 #endif
2666
2667 if (error == 1)
2668 png_error(png_ptr, "Invalid IHDR data");
2669 }
2670
2671 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2672 /* ASCII to fp functions */
2673 /* Check an ASCII formated floating point value, see the more detailed
2674 * comments in pngpriv.h
2675 */
2676 /* The following is used internally to preserve the sticky flags */
2677 #define png_fp_add(state, flags) ((state) |= (flags))
2678 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2679
2680 int /* PRIVATE */
2681 png_check_fp_number(png_const_charp string, png_size_t size, int *statep,
2682 png_size_tp whereami)
2683 {
2684 int state = *statep;
2685 png_size_t i = *whereami;
2686
2687 while (i < size)
2688 {
2689 int type;
2690 /* First find the type of the next character */
2691 switch (string[i])
2692 {
2693 case 43: type = PNG_FP_SAW_SIGN; break;
2694 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2695 case 46: type = PNG_FP_SAW_DOT; break;
2696 case 48: type = PNG_FP_SAW_DIGIT; break;
2697 case 49: case 50: case 51: case 52:
2698 case 53: case 54: case 55: case 56:
2699 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2700 case 69:
2701 case 101: type = PNG_FP_SAW_E; break;
2702 default: goto PNG_FP_End;
2703 }
2704
2705 /* Now deal with this type according to the current
2706 * state, the type is arranged to not overlap the
2707 * bits of the PNG_FP_STATE.
2708 */
2709 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2710 {
2711 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2712 if ((state & PNG_FP_SAW_ANY) != 0)
2713 goto PNG_FP_End; /* not a part of the number */
2714
2715 png_fp_add(state, type);
2716 break;
2717
2718 case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2719 /* Ok as trailer, ok as lead of fraction. */
2720 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2721 goto PNG_FP_End;
2722
2723 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2724 png_fp_add(state, type);
2725
2726 else
2727 png_fp_set(state, PNG_FP_FRACTION | type);
2728
2729 break;
2730
2731 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2732 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2733 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2734
2735 png_fp_add(state, type | PNG_FP_WAS_VALID);
2736
2737 break;
2738
2739 case PNG_FP_INTEGER + PNG_FP_SAW_E:
2740 if ((state & PNG_FP_SAW_DIGIT) == 0)
2741 goto PNG_FP_End;
2742
2743 png_fp_set(state, PNG_FP_EXPONENT);
2744
2745 break;
2746
2747 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2748 goto PNG_FP_End; ** no sign in fraction */
2749
2750 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2751 goto PNG_FP_End; ** Because SAW_DOT is always set */
2752
2753 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2754 png_fp_add(state, type | PNG_FP_WAS_VALID);
2755 break;
2756
2757 case PNG_FP_FRACTION + PNG_FP_SAW_E:
2758 /* This is correct because the trailing '.' on an
2759 * integer is handled above - so we can only get here
2760 * with the sequence ".E" (with no preceding digits).
2761 */
2762 if ((state & PNG_FP_SAW_DIGIT) == 0)
2763 goto PNG_FP_End;
2764
2765 png_fp_set(state, PNG_FP_EXPONENT);
2766
2767 break;
2768
2769 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2770 if ((state & PNG_FP_SAW_ANY) != 0)
2771 goto PNG_FP_End; /* not a part of the number */
2772
2773 png_fp_add(state, PNG_FP_SAW_SIGN);
2774
2775 break;
2776
2777 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2778 goto PNG_FP_End; */
2779
2780 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2781 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2782
2783 break;
2784
2785 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2786 goto PNG_FP_End; */
2787
2788 default: goto PNG_FP_End; /* I.e. break 2 */
2789 }
2790
2791 /* The character seems ok, continue. */
2792 ++i;
2793 }
2794
2795 PNG_FP_End:
2796 /* Here at the end, update the state and return the correct
2797 * return code.
2798 */
2799 *statep = state;
2800 *whereami = i;
2801
2802 return (state & PNG_FP_SAW_DIGIT) != 0;
2803 }
2804
2805
2806 /* The same but for a complete string. */
2807 int
2808 png_check_fp_string(png_const_charp string, png_size_t size)
2809 {
2810 int state=0;
2811 png_size_t char_index=0;
2812
2813 if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2814 (char_index == size || string[char_index] == 0))
2815 return state /* must be non-zero - see above */;
2816
2817 return 0; /* i.e. fail */
2818 }
2819 #endif /* pCAL || sCAL */
2820
2821 #ifdef PNG_sCAL_SUPPORTED
2822 # ifdef PNG_FLOATING_POINT_SUPPORTED
2823 /* Utility used below - a simple accurate power of ten from an integral
2824 * exponent.
2825 */
2826 static double
2827 png_pow10(int power)
2828 {
2829 int recip = 0;
2830 double d = 1;
2831
2832 /* Handle negative exponent with a reciprocal at the end because
2833 * 10 is exact whereas .1 is inexact in base 2
2834 */
2835 if (power < 0)
2836 {
2837 if (power < DBL_MIN_10_EXP) return 0;
2838 recip = 1, power = -power;
2839 }
2840
2841 if (power > 0)
2842 {
2843 /* Decompose power bitwise. */
2844 double mult = 10;
2845 do
2846 {
2847 if (power & 1) d *= mult;
2848 mult *= mult;
2849 power >>= 1;
2850 }
2851 while (power > 0);
2852
2853 if (recip != 0) d = 1/d;
2854 }
2855 /* else power is 0 and d is 1 */
2856
2857 return d;
2858 }
2859
2860 /* Function to format a floating point value in ASCII with a given
2861 * precision.
2862 */
2863 void /* PRIVATE */
2864 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size,
2865 double fp, unsigned int precision)
2866 {
2867 /* We use standard functions from math.h, but not printf because
2868 * that would require stdio. The caller must supply a buffer of
2869 * sufficient size or we will png_error. The tests on size and
2870 * the space in ascii[] consumed are indicated below.
2871 */
2872 if (precision < 1)
2873 precision = DBL_DIG;
2874
2875 /* Enforce the limit of the implementation precision too. */
2876 if (precision > DBL_DIG+1)
2877 precision = DBL_DIG+1;
2878
2879 /* Basic sanity checks */
2880 if (size >= precision+5) /* See the requirements below. */
2881 {
2882 if (fp < 0)
2883 {
2884 fp = -fp;
2885 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */
2886 --size;
2887 }
2888
2889 if (fp >= DBL_MIN && fp <= DBL_MAX)
2890 {
2891 int exp_b10; /* A base 10 exponent */
2892 double base; /* 10^exp_b10 */
2893
2894 /* First extract a base 10 exponent of the number,
2895 * the calculation below rounds down when converting
2896 * from base 2 to base 10 (multiply by log10(2) -
2897 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2898 * be increased. Note that the arithmetic shift
2899 * performs a floor() unlike C arithmetic - using a
2900 * C multiply would break the following for negative
2901 * exponents.
2902 */
2903 (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2904
2905 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2906
2907 /* Avoid underflow here. */
2908 base = png_pow10(exp_b10); /* May underflow */
2909
2910 while (base < DBL_MIN || base < fp)
2911 {
2912 /* And this may overflow. */
2913 double test = png_pow10(exp_b10+1);
2914
2915 if (test <= DBL_MAX)
2916 ++exp_b10, base = test;
2917
2918 else
2919 break;
2920 }
2921
2922 /* Normalize fp and correct exp_b10, after this fp is in the
2923 * range [.1,1) and exp_b10 is both the exponent and the digit
2924 * *before* which the decimal point should be inserted
2925 * (starting with 0 for the first digit). Note that this
2926 * works even if 10^exp_b10 is out of range because of the
2927 * test on DBL_MAX above.
2928 */
2929 fp /= base;
2930 while (fp >= 1) fp /= 10, ++exp_b10;
2931
2932 /* Because of the code above fp may, at this point, be
2933 * less than .1, this is ok because the code below can
2934 * handle the leading zeros this generates, so no attempt
2935 * is made to correct that here.
2936 */
2937
2938 {
2939 unsigned int czero, clead, cdigits;
2940 char exponent[10];
2941
2942 /* Allow up to two leading zeros - this will not lengthen
2943 * the number compared to using E-n.
2944 */
2945 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2946 {
2947 czero = (unsigned int)(-exp_b10); /* PLUS 2 digits: TOTAL 3 */
2948 exp_b10 = 0; /* Dot added below before first output. */
2949 }
2950 else
2951 czero = 0; /* No zeros to add */
2952
2953 /* Generate the digit list, stripping trailing zeros and
2954 * inserting a '.' before a digit if the exponent is 0.
2955 */
2956 clead = czero; /* Count of leading zeros */
2957 cdigits = 0; /* Count of digits in list. */
2958
2959 do
2960 {
2961 double d;
2962
2963 fp *= 10;
2964 /* Use modf here, not floor and subtract, so that
2965 * the separation is done in one step. At the end
2966 * of the loop don't break the number into parts so
2967 * that the final digit is rounded.
2968 */
2969 if (cdigits+czero+1 < precision+clead)
2970 fp = modf(fp, &d);
2971
2972 else
2973 {
2974 d = floor(fp + .5);
2975
2976 if (d > 9)
2977 {
2978 /* Rounding up to 10, handle that here. */
2979 if (czero > 0)
2980 {
2981 --czero, d = 1;
2982 if (cdigits == 0) --clead;
2983 }
2984 else
2985 {
2986 while (cdigits > 0 && d > 9)
2987 {
2988 int ch = *--ascii;
2989
2990 if (exp_b10 != (-1))
2991 ++exp_b10;
2992
2993 else if (ch == 46)
2994 {
2995 ch = *--ascii, ++size;
2996 /* Advance exp_b10 to '1', so that the
2997 * decimal point happens after the
2998 * previous digit.
2999 */
3000 exp_b10 = 1;
3001 }
3002
3003 --cdigits;
3004 d = ch - 47; /* I.e. 1+(ch-48) */
3005 }
3006
3007 /* Did we reach the beginning? If so adjust the
3008 * exponent but take into account the leading
3009 * decimal point.
3010 */
3011 if (d > 9) /* cdigits == 0 */
3012 {
3013 if (exp_b10 == (-1))
3014 {
3015 /* Leading decimal point (plus zeros?), if
3016 * we lose the decimal point here it must
3017 * be reentered below.
3018 */
3019 int ch = *--ascii;
3020
3021 if (ch == 46)
3022 ++size, exp_b10 = 1;
3023
3024 /* Else lost a leading zero, so 'exp_b10' is
3025 * still ok at (-1)
3026 */
3027 }
3028 else
3029 ++exp_b10;
3030
3031 /* In all cases we output a '1' */
3032 d = 1;
3033 }
3034 }
3035 }
3036 fp = 0; /* Guarantees termination below. */
3037 }
3038
3039 if (d == 0)
3040 {
3041 ++czero;
3042 if (cdigits == 0) ++clead;
3043 }
3044 else
3045 {
3046 /* Included embedded zeros in the digit count. */
3047 cdigits += czero - clead;
3048 clead = 0;
3049
3050 while (czero > 0)
3051 {
3052 /* exp_b10 == (-1) means we just output the decimal
3053 * place - after the DP don't adjust 'exp_b10' any
3054 * more!
3055 */
3056 if (exp_b10 != (-1))
3057 {
3058 if (exp_b10 == 0) *ascii++ = 46, --size;
3059 /* PLUS 1: TOTAL 4 */
3060 --exp_b10;
3061 }
3062 *ascii++ = 48, --czero;
3063 }
3064
3065 if (exp_b10 != (-1))
3066 {
3067 if (exp_b10 == 0)
3068 *ascii++ = 46, --size; /* counted above */
3069
3070 --exp_b10;
3071 }
3072 *ascii++ = (char)(48 + (int)d), ++cdigits;
3073 }
3074 }
3075 while (cdigits+czero < precision+clead && fp > DBL_MIN);
3076
3077 /* The total output count (max) is now 4+precision */
3078
3079 /* Check for an exponent, if we don't need one we are
3080 * done and just need to terminate the string. At
3081 * this point exp_b10==(-1) is effectively if flag - it got
3082 * to '-1' because of the decrement after outputting
3083 * the decimal point above (the exponent required is
3084 * *not* -1!)
3085 */
3086 if (exp_b10 >= (-1) && exp_b10 <= 2)
3087 {
3088 /* The following only happens if we didn't output the
3089 * leading zeros above for negative exponent, so this
3090 * doesn't add to the digit requirement. Note that the
3091 * two zeros here can only be output if the two leading
3092 * zeros were *not* output, so this doesn't increase
3093 * the output count.
3094 */
3095 while (--exp_b10 >= 0) *ascii++ = 48;
3096
3097 *ascii = 0;
3098
3099 /* Total buffer requirement (including the '\0') is
3100 * 5+precision - see check at the start.
3101 */
3102 return;
3103 }
3104
3105 /* Here if an exponent is required, adjust size for
3106 * the digits we output but did not count. The total
3107 * digit output here so far is at most 1+precision - no
3108 * decimal point and no leading or trailing zeros have
3109 * been output.
3110 */
3111 size -= cdigits;
3112
3113 *ascii++ = 69, --size; /* 'E': PLUS 1 TOTAL 2+precision */
3114
3115 /* The following use of an unsigned temporary avoids ambiguities in
3116 * the signed arithmetic on exp_b10 and permits GCC at least to do
3117 * better optimization.
3118 */
3119 {
3120 unsigned int uexp_b10;
3121
3122 if (exp_b10 < 0)
3123 {
3124 *ascii++ = 45, --size; /* '-': PLUS 1 TOTAL 3+precision */
3125 uexp_b10 = (unsigned int)(-exp_b10);
3126 }
3127
3128 else
3129 uexp_b10 = (unsigned int)exp_b10;
3130
3131 cdigits = 0;
3132
3133 while (uexp_b10 > 0)
3134 {
3135 exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3136 uexp_b10 /= 10;
3137 }
3138 }
3139
3140 /* Need another size check here for the exponent digits, so
3141 * this need not be considered above.
3142 */
3143 if (size > cdigits)
3144 {
3145 while (cdigits > 0) *ascii++ = exponent[--cdigits];
3146
3147 *ascii = 0;
3148
3149 return;
3150 }
3151 }
3152 }
3153 else if (!(fp >= DBL_MIN))
3154 {
3155 *ascii++ = 48; /* '0' */
3156 *ascii = 0;
3157 return;
3158 }
3159 else
3160 {
3161 *ascii++ = 105; /* 'i' */
3162 *ascii++ = 110; /* 'n' */
3163 *ascii++ = 102; /* 'f' */
3164 *ascii = 0;
3165 return;
3166 }
3167 }
3168
3169 /* Here on buffer too small. */
3170 png_error(png_ptr, "ASCII conversion buffer too small");
3171 }
3172
3173 # endif /* FLOATING_POINT */
3174
3175 # ifdef PNG_FIXED_POINT_SUPPORTED
3176 /* Function to format a fixed point value in ASCII.
3177 */
3178 void /* PRIVATE */
3179 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3180 png_size_t size, png_fixed_point fp)
3181 {
3182 /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3183 * trailing \0, 13 characters:
3184 */
3185 if (size > 12)
3186 {
3187 png_uint_32 num;
3188
3189 /* Avoid overflow here on the minimum integer. */
3190 if (fp < 0)
3191 *ascii++ = 45, num = (png_uint_32)(-fp);
3192 else
3193 num = (png_uint_32)fp;
3194
3195 if (num <= 0x80000000) /* else overflowed */
3196 {
3197 unsigned int ndigits = 0, first = 16 /* flag value */;
3198 char digits[10];
3199
3200 while (num)
3201 {
3202 /* Split the low digit off num: */
3203 unsigned int tmp = num/10;
3204 num -= tmp*10;
3205 digits[ndigits++] = (char)(48 + num);
3206 /* Record the first non-zero digit, note that this is a number
3207 * starting at 1, it's not actually the array index.
3208 */
3209 if (first == 16 && num > 0)
3210 first = ndigits;
3211 num = tmp;
3212 }
3213
3214 if (ndigits > 0)
3215 {
3216 while (ndigits > 5) *ascii++ = digits[--ndigits];
3217 /* The remaining digits are fractional digits, ndigits is '5' or
3218 * smaller at this point. It is certainly not zero. Check for a
3219 * non-zero fractional digit:
3220 */
3221 if (first <= 5)
3222 {
3223 unsigned int i;
3224 *ascii++ = 46; /* decimal point */
3225 /* ndigits may be <5 for small numbers, output leading zeros
3226 * then ndigits digits to first:
3227 */
3228 i = 5;
3229 while (ndigits < i) *ascii++ = 48, --i;
3230 while (ndigits >= first) *ascii++ = digits[--ndigits];
3231 /* Don't output the trailing zeros! */
3232 }
3233 }
3234 else
3235 *ascii++ = 48;
3236
3237 /* And null terminate the string: */
3238 *ascii = 0;
3239 return;
3240 }
3241 }
3242
3243 /* Here on buffer too small. */
3244 png_error(png_ptr, "ASCII conversion buffer too small");
3245 }
3246 # endif /* FIXED_POINT */
3247 #endif /* SCAL */
3248
3249 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3250 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3251 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3252 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3253 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3254 (defined(PNG_sCAL_SUPPORTED) && \
3255 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3256 png_fixed_point
3257 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3258 {
3259 double r = floor(100000 * fp + .5);
3260
3261 if (r > 2147483647. || r < -2147483648.)
3262 png_fixed_error(png_ptr, text);
3263
3264 # ifndef PNG_ERROR_TEXT_SUPPORTED
3265 PNG_UNUSED(text)
3266 # endif
3267
3268 return (png_fixed_point)r;
3269 }
3270 #endif
3271
3272 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3273 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3274 /* muldiv functions */
3275 /* This API takes signed arguments and rounds the result to the nearest
3276 * integer (or, for a fixed point number - the standard argument - to
3277 * the nearest .00001). Overflow and divide by zero are signalled in
3278 * the result, a boolean - true on success, false on overflow.
3279 */
3280 int
3281 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3282 png_int_32 divisor)
3283 {
3284 /* Return a * times / divisor, rounded. */
3285 if (divisor != 0)
3286 {
3287 if (a == 0 || times == 0)
3288 {
3289 *res = 0;
3290 return 1;
3291 }
3292 else
3293 {
3294 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3295 double r = a;
3296 r *= times;
3297 r /= divisor;
3298 r = floor(r+.5);
3299
3300 /* A png_fixed_point is a 32-bit integer. */
3301 if (r <= 2147483647. && r >= -2147483648.)
3302 {
3303 *res = (png_fixed_point)r;
3304 return 1;
3305 }
3306 #else
3307 int negative = 0;
3308 png_uint_32 A, T, D;
3309 png_uint_32 s16, s32, s00;
3310
3311 if (a < 0)
3312 negative = 1, A = -a;
3313 else
3314 A = a;
3315
3316 if (times < 0)
3317 negative = !negative, T = -times;
3318 else
3319 T = times;
3320
3321 if (divisor < 0)
3322 negative = !negative, D = -divisor;
3323 else
3324 D = divisor;
3325
3326 /* Following can't overflow because the arguments only
3327 * have 31 bits each, however the result may be 32 bits.
3328 */
3329 s16 = (A >> 16) * (T & 0xffff) +
3330 (A & 0xffff) * (T >> 16);
3331 /* Can't overflow because the a*times bit is only 30
3332 * bits at most.
3333 */
3334 s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3335 s00 = (A & 0xffff) * (T & 0xffff);
3336
3337 s16 = (s16 & 0xffff) << 16;
3338 s00 += s16;
3339
3340 if (s00 < s16)
3341 ++s32; /* carry */
3342
3343 if (s32 < D) /* else overflow */
3344 {
3345 /* s32.s00 is now the 64-bit product, do a standard
3346 * division, we know that s32 < D, so the maximum
3347 * required shift is 31.
3348 */
3349 int bitshift = 32;
3350 png_fixed_point result = 0; /* NOTE: signed */
3351
3352 while (--bitshift >= 0)
3353 {
3354 png_uint_32 d32, d00;
3355
3356 if (bitshift > 0)
3357 d32 = D >> (32-bitshift), d00 = D << bitshift;
3358
3359 else
3360 d32 = 0, d00 = D;
3361
3362 if (s32 > d32)
3363 {
3364 if (s00 < d00) --s32; /* carry */
3365 s32 -= d32, s00 -= d00, result += 1<<bitshift;
3366 }
3367
3368 else
3369 if (s32 == d32 && s00 >= d00)
3370 s32 = 0, s00 -= d00, result += 1<<bitshift;
3371 }
3372
3373 /* Handle the rounding. */
3374 if (s00 >= (D >> 1))
3375 ++result;
3376
3377 if (negative != 0)
3378 result = -result;
3379
3380 /* Check for overflow. */
3381 if ((negative != 0 && result <= 0) ||
3382 (negative == 0 && result >= 0))
3383 {
3384 *res = result;
3385 return 1;
3386 }
3387 }
3388 #endif
3389 }
3390 }
3391
3392 return 0;
3393 }
3394 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3395
3396 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3397 /* The following is for when the caller doesn't much care about the
3398 * result.
3399 */
3400 png_fixed_point
3401 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3402 png_int_32 divisor)
3403 {
3404 png_fixed_point result;
3405
3406 if (png_muldiv(&result, a, times, divisor) != 0)
3407 return result;
3408
3409 png_warning(png_ptr, "fixed point overflow ignored");
3410 return 0;
3411 }
3412 #endif
3413
3414 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3415 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3416 png_fixed_point
3417 png_reciprocal(png_fixed_point a)
3418 {
3419 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3420 double r = floor(1E10/a+.5);
3421
3422 if (r <= 2147483647. && r >= -2147483648.)
3423 return (png_fixed_point)r;
3424 #else
3425 png_fixed_point res;
3426
3427 if (png_muldiv(&res, 100000, 100000, a) != 0)
3428 return res;
3429 #endif
3430
3431 return 0; /* error/overflow */
3432 }
3433
3434 /* This is the shared test on whether a gamma value is 'significant' - whether
3435 * it is worth doing gamma correction.
3436 */
3437 int /* PRIVATE */
3438 png_gamma_significant(png_fixed_point gamma_val)
3439 {
3440 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3441 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3442 }
3443 #endif
3444
3445 #ifdef PNG_READ_GAMMA_SUPPORTED
3446 #ifdef PNG_16BIT_SUPPORTED
3447 /* A local convenience routine. */
3448 static png_fixed_point
3449 png_product2(png_fixed_point a, png_fixed_point b)
3450 {
3451 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3452 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3453 double r = a * 1E-5;
3454 r *= b;
3455 r = floor(r+.5);
3456
3457 if (r <= 2147483647. && r >= -2147483648.)
3458 return (png_fixed_point)r;
3459 #else
3460 png_fixed_point res;
3461
3462 if (png_muldiv(&res, a, b, 100000) != 0)
3463 return res;
3464 #endif
3465
3466 return 0; /* overflow */
3467 }
3468 #endif /* 16BIT */
3469
3470 /* The inverse of the above. */
3471 png_fixed_point
3472 png_reciprocal2(png_fixed_point a, png_fixed_point b)
3473 {
3474 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3475 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3476 if (a != 0 && b != 0)
3477 {
3478 double r = 1E15/a;
3479 r /= b;
3480 r = floor(r+.5);
3481
3482 if (r <= 2147483647. && r >= -2147483648.)
3483 return (png_fixed_point)r;
3484 }
3485 #else
3486 /* This may overflow because the range of png_fixed_point isn't symmetric,
3487 * but this API is only used for the product of file and screen gamma so it
3488 * doesn't matter that the smallest number it can produce is 1/21474, not
3489 * 1/100000
3490 */
3491 png_fixed_point res = png_product2(a, b);
3492
3493 if (res != 0)
3494 return png_reciprocal(res);
3495 #endif
3496
3497 return 0; /* overflow */
3498 }
3499 #endif /* READ_GAMMA */
3500
3501 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3502 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3503 /* Fixed point gamma.
3504 *
3505 * The code to calculate the tables used below can be found in the shell script
3506 * contrib/tools/intgamma.sh
3507 *
3508 * To calculate gamma this code implements fast log() and exp() calls using only
3509 * fixed point arithmetic. This code has sufficient precision for either 8-bit
3510 * or 16-bit sample values.
3511 *
3512 * The tables used here were calculated using simple 'bc' programs, but C double
3513 * precision floating point arithmetic would work fine.
3514 *
3515 * 8-bit log table
3516 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3517 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3518 * mantissa. The numbers are 32-bit fractions.
3519 */
3520 static const png_uint_32
3521 png_8bit_l2[128] =
3522 {
3523 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3524 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3525 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3526 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3527 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3528 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3529 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3530 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3531 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3532 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3533 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3534 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3535 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3536 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3537 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3538 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3539 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3540 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3541 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3542 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3543 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3544 24347096U, 0U
3545
3546 #if 0
3547 /* The following are the values for 16-bit tables - these work fine for the
3548 * 8-bit conversions but produce very slightly larger errors in the 16-bit
3549 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3550 * use these all the shifts below must be adjusted appropriately.
3551 */
3552 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3553 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3554 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3555 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3556 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3557 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3558 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3559 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3560 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3561 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3562 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3563 1119, 744, 372
3564 #endif
3565 };
3566
3567 static png_int_32
3568 png_log8bit(unsigned int x)
3569 {
3570 unsigned int lg2 = 0;
3571 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3572 * because the log is actually negate that means adding 1. The final
3573 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3574 * input), return -1 for the overflow (log 0) case, - so the result is
3575 * always at most 19 bits.
3576 */
3577 if ((x &= 0xff) == 0)
3578 return -1;
3579
3580 if ((x & 0xf0) == 0)
3581 lg2 = 4, x <<= 4;
3582
3583 if ((x & 0xc0) == 0)
3584 lg2 += 2, x <<= 2;
3585
3586 if ((x & 0x80) == 0)
3587 lg2 += 1, x <<= 1;
3588
3589 /* result is at most 19 bits, so this cast is safe: */
3590 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3591 }
3592
3593 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3594 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3595 * get an approximation then multiply the approximation by a correction factor
3596 * determined by the remaining up to 8 bits. This requires an additional step
3597 * in the 16-bit case.
3598 *
3599 * We want log2(value/65535), we have log2(v'/255), where:
3600 *
3601 * value = v' * 256 + v''
3602 * = v' * f
3603 *
3604 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3605 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3606 * than 258. The final factor also needs to correct for the fact that our 8-bit
3607 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3608 *
3609 * This gives a final formula using a calculated value 'x' which is value/v' and
3610 * scaling by 65536 to match the above table:
3611 *
3612 * log2(x/257) * 65536
3613 *
3614 * Since these numbers are so close to '1' we can use simple linear
3615 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3616 * (result 367.179). The values used below are scaled by a further 64 to give
3617 * 16-bit precision in the interpolation:
3618 *
3619 * Start (256): -23591
3620 * Zero (257): 0
3621 * End (258): 23499
3622 */
3623 #ifdef PNG_16BIT_SUPPORTED
3624 static png_int_32
3625 png_log16bit(png_uint_32 x)
3626 {
3627 unsigned int lg2 = 0;
3628
3629 /* As above, but now the input has 16 bits. */
3630 if ((x &= 0xffff) == 0)
3631 return -1;
3632
3633 if ((x & 0xff00) == 0)
3634 lg2 = 8, x <<= 8;
3635
3636 if ((x & 0xf000) == 0)
3637 lg2 += 4, x <<= 4;
3638
3639 if ((x & 0xc000) == 0)
3640 lg2 += 2, x <<= 2;
3641
3642 if ((x & 0x8000) == 0)
3643 lg2 += 1, x <<= 1;
3644
3645 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3646 * value.
3647 */
3648 lg2 <<= 28;
3649 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3650
3651 /* Now we need to interpolate the factor, this requires a division by the top
3652 * 8 bits. Do this with maximum precision.
3653 */
3654 x = ((x << 16) + (x >> 9)) / (x >> 8);
3655
3656 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3657 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3658 * 16 bits to interpolate to get the low bits of the result. Round the
3659 * answer. Note that the end point values are scaled by 64 to retain overall
3660 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3661 * the overall scaling by 6-12. Round at every step.
3662 */
3663 x -= 1U << 24;
3664
3665 if (x <= 65536U) /* <= '257' */
3666 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3667
3668 else
3669 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3670
3671 /* Safe, because the result can't have more than 20 bits: */
3672 return (png_int_32)((lg2 + 2048) >> 12);
3673 }
3674 #endif /* 16BIT */
3675
3676 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3677 * logarithmic value and returning a 16 or 8-bit number as appropriate. In
3678 * each case only the low 16 bits are relevant - the fraction - since the
3679 * integer bits (the top 4) simply determine a shift.
3680 *
3681 * The worst case is the 16-bit distinction between 65535 and 65534. This
3682 * requires perhaps spurious accuracy in the decoding of the logarithm to
3683 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3684 * of getting this accuracy in practice.
3685 *
3686 * To deal with this the following exp() function works out the exponent of the
3687 * frational part of the logarithm by using an accurate 32-bit value from the
3688 * top four fractional bits then multiplying in the remaining bits.
3689 */
3690 static const png_uint_32
3691 png_32bit_exp[16] =
3692 {
3693 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3694 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3695 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3696 2553802834U, 2445529972U, 2341847524U, 2242560872U
3697 };
3698
3699 /* Adjustment table; provided to explain the numbers in the code below. */
3700 #if 0
3701 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3702 11 44937.64284865548751208448
3703 10 45180.98734845585101160448
3704 9 45303.31936980687359311872
3705 8 45364.65110595323018870784
3706 7 45395.35850361789624614912
3707 6 45410.72259715102037508096
3708 5 45418.40724413220722311168
3709 4 45422.25021786898173001728
3710 3 45424.17186732298419044352
3711 2 45425.13273269940811464704
3712 1 45425.61317555035558641664
3713 0 45425.85339951654943850496
3714 #endif
3715
3716 static png_uint_32
3717 png_exp(png_fixed_point x)
3718 {
3719 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3720 {
3721 /* Obtain a 4-bit approximation */
3722 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3723
3724 /* Incorporate the low 12 bits - these decrease the returned value by
3725 * multiplying by a number less than 1 if the bit is set. The multiplier
3726 * is determined by the above table and the shift. Notice that the values
3727 * converge on 45426 and this is used to allow linear interpolation of the
3728 * low bits.
3729 */
3730 if (x & 0x800)
3731 e -= (((e >> 16) * 44938U) + 16U) >> 5;
3732
3733 if (x & 0x400)
3734 e -= (((e >> 16) * 45181U) + 32U) >> 6;
3735
3736 if (x & 0x200)
3737 e -= (((e >> 16) * 45303U) + 64U) >> 7;
3738
3739 if (x & 0x100)
3740 e -= (((e >> 16) * 45365U) + 128U) >> 8;
3741
3742 if (x & 0x080)
3743 e -= (((e >> 16) * 45395U) + 256U) >> 9;
3744
3745 if (x & 0x040)
3746 e -= (((e >> 16) * 45410U) + 512U) >> 10;
3747
3748 /* And handle the low 6 bits in a single block. */
3749 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3750
3751 /* Handle the upper bits of x. */
3752 e >>= x >> 16;
3753 return e;
3754 }
3755
3756 /* Check for overflow */
3757 if (x <= 0)
3758 return png_32bit_exp[0];
3759
3760 /* Else underflow */
3761 return 0;
3762 }
3763
3764 static png_byte
3765 png_exp8bit(png_fixed_point lg2)
3766 {
3767 /* Get a 32-bit value: */
3768 png_uint_32 x = png_exp(lg2);
3769
3770 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3771 * second, rounding, step can't overflow because of the first, subtraction,
3772 * step.
3773 */
3774 x -= x >> 8;
3775 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3776 }
3777
3778 #ifdef PNG_16BIT_SUPPORTED
3779 static png_uint_16
3780 png_exp16bit(png_fixed_point lg2)
3781 {
3782 /* Get a 32-bit value: */
3783 png_uint_32 x = png_exp(lg2);
3784
3785 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3786 x -= x >> 16;
3787 return (png_uint_16)((x + 32767U) >> 16);
3788 }
3789 #endif /* 16BIT */
3790 #endif /* FLOATING_ARITHMETIC */
3791
3792 png_byte
3793 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3794 {
3795 if (value > 0 && value < 255)
3796 {
3797 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3798 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3799 * convert this to a floating point value. This includes values that
3800 * would overflow if 'value' were to be converted to 'int'.
3801 *
3802 * Apparently GCC, however, does an intermediate conversion to (int)
3803 * on some (ARM) but not all (x86) platforms, possibly because of
3804 * hardware FP limitations. (E.g. if the hardware conversion always
3805 * assumes the integer register contains a signed value.) This results
3806 * in ANSI-C undefined behavior for large values.
3807 *
3808 * Other implementations on the same machine might actually be ANSI-C90
3809 * conformant and therefore compile spurious extra code for the large
3810 * values.
3811 *
3812 * We can be reasonably sure that an unsigned to float conversion
3813 * won't be faster than an int to float one. Therefore this code
3814 * assumes responsibility for the undefined behavior, which it knows
3815 * can't happen because of the check above.
3816 *
3817 * Note the argument to this routine is an (unsigned int) because, on
3818 * 16-bit platforms, it is assigned a value which might be out of
3819 * range for an (int); that would result in undefined behavior in the
3820 * caller if the *argument* ('value') were to be declared (int).
3821 */
3822 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3823 return (png_byte)r;
3824 # else
3825 png_int_32 lg2 = png_log8bit(value);
3826 png_fixed_point res;
3827
3828 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3829 return png_exp8bit(res);
3830
3831 /* Overflow. */
3832 value = 0;
3833 # endif
3834 }
3835
3836 return (png_byte)(value & 0xff);
3837 }
3838
3839 #ifdef PNG_16BIT_SUPPORTED
3840 png_uint_16
3841 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3842 {
3843 if (value > 0 && value < 65535)
3844 {
3845 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3846 /* The same (unsigned int)->(double) constraints apply here as above,
3847 * however in this case the (unsigned int) to (int) conversion can
3848 * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3849 * that this is not possible.
3850 */
3851 double r = floor(65535*pow((png_int_32)value/65535.,
3852 gamma_val*.00001)+.5);
3853 return (png_uint_16)r;
3854 # else
3855 png_int_32 lg2 = png_log16bit(value);
3856 png_fixed_point res;
3857
3858 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3859 return png_exp16bit(res);
3860
3861 /* Overflow. */
3862 value = 0;
3863 # endif
3864 }
3865
3866 return (png_uint_16)value;
3867 }
3868 #endif /* 16BIT */
3869
3870 /* This does the right thing based on the bit_depth field of the
3871 * png_struct, interpreting values as 8-bit or 16-bit. While the result
3872 * is nominally a 16-bit value if bit depth is 8 then the result is
3873 * 8-bit (as are the arguments.)
3874 */
3875 png_uint_16 /* PRIVATE */
3876 png_gamma_correct(png_structrp png_ptr, unsigned int value,
3877 png_fixed_point gamma_val)
3878 {
3879 if (png_ptr->bit_depth == 8)
3880 return png_gamma_8bit_correct(value, gamma_val);
3881
3882 #ifdef PNG_16BIT_SUPPORTED
3883 else
3884 return png_gamma_16bit_correct(value, gamma_val);
3885 #else
3886 /* should not reach this */
3887 return 0;
3888 #endif /* 16BIT */
3889 }
3890
3891 #ifdef PNG_16BIT_SUPPORTED
3892 /* Internal function to build a single 16-bit table - the table consists of
3893 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3894 * to shift the input values right (or 16-number_of_signifiant_bits).
3895 *
3896 * The caller is responsible for ensuring that the table gets cleaned up on
3897 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3898 * should be somewhere that will be cleaned.
3899 */
3900 static void
3901 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
3902 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
3903 {
3904 /* Various values derived from 'shift': */
3905 PNG_CONST unsigned int num = 1U << (8U - shift);
3906 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3907 /* CSE the division and work round wacky GCC warnings (see the comments
3908 * in png_gamma_8bit_correct for where these come from.)
3909 */
3910 PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1);
3911 #endif
3912 PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
3913 PNG_CONST unsigned int max_by_2 = 1U << (15U-shift);
3914 unsigned int i;
3915
3916 png_uint_16pp table = *ptable =
3917 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3918
3919 for (i = 0; i < num; i++)
3920 {
3921 png_uint_16p sub_table = table[i] =
3922 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
3923
3924 /* The 'threshold' test is repeated here because it can arise for one of
3925 * the 16-bit tables even if the others don't hit it.
3926 */
3927 if (png_gamma_significant(gamma_val) != 0)
3928 {
3929 /* The old code would overflow at the end and this would cause the
3930 * 'pow' function to return a result >1, resulting in an
3931 * arithmetic error. This code follows the spec exactly; ig is
3932 * the recovered input sample, it always has 8-16 bits.
3933 *
3934 * We want input * 65535/max, rounded, the arithmetic fits in 32
3935 * bits (unsigned) so long as max <= 32767.
3936 */
3937 unsigned int j;
3938 for (j = 0; j < 256; j++)
3939 {
3940 png_uint_32 ig = (j << (8-shift)) + i;
3941 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3942 /* Inline the 'max' scaling operation: */
3943 /* See png_gamma_8bit_correct for why the cast to (int) is
3944 * required here.
3945 */
3946 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
3947 sub_table[j] = (png_uint_16)d;
3948 # else
3949 if (shift != 0)
3950 ig = (ig * 65535U + max_by_2)/max;
3951
3952 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
3953 # endif
3954 }
3955 }
3956 else
3957 {
3958 /* We must still build a table, but do it the fast way. */
3959 unsigned int j;
3960
3961 for (j = 0; j < 256; j++)
3962 {
3963 png_uint_32 ig = (j << (8-shift)) + i;
3964
3965 if (shift != 0)
3966 ig = (ig * 65535U + max_by_2)/max;
3967
3968 sub_table[j] = (png_uint_16)ig;
3969 }
3970 }
3971 }
3972 }
3973
3974 /* NOTE: this function expects the *inverse* of the overall gamma transformation
3975 * required.
3976 */
3977 static void
3978 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
3979 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
3980 {
3981 PNG_CONST unsigned int num = 1U << (8U - shift);
3982 PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
3983 unsigned int i;
3984 png_uint_32 last;
3985
3986 png_uint_16pp table = *ptable =
3987 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3988
3989 /* 'num' is the number of tables and also the number of low bits of low
3990 * bits of the input 16-bit value used to select a table. Each table is
3991 * itself indexed by the high 8 bits of the value.
3992 */
3993 for (i = 0; i < num; i++)
3994 table[i] = (png_uint_16p)png_malloc(png_ptr,
3995 256 * (sizeof (png_uint_16)));
3996
3997 /* 'gamma_val' is set to the reciprocal of the value calculated above, so
3998 * pow(out,g) is an *input* value. 'last' is the last input value set.
3999 *
4000 * In the loop 'i' is used to find output values. Since the output is
4001 * 8-bit there are only 256 possible values. The tables are set up to
4002 * select the closest possible output value for each input by finding
4003 * the input value at the boundary between each pair of output values
4004 * and filling the table up to that boundary with the lower output
4005 * value.
4006 *
4007 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit
4008 * values the code below uses a 16-bit value in i; the values start at
4009 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4010 * entries are filled with 255). Start i at 128 and fill all 'last'
4011 * table entries <= 'max'
4012 */
4013 last = 0;
4014 for (i = 0; i < 255; ++i) /* 8-bit output value */
4015 {
4016 /* Find the corresponding maximum input value */
4017 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4018
4019 /* Find the boundary value in 16 bits: */
4020 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4021
4022 /* Adjust (round) to (16-shift) bits: */
4023 bound = (bound * max + 32768U)/65535U + 1U;
4024
4025 while (last < bound)
4026 {
4027 table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4028 last++;
4029 }
4030 }
4031
4032 /* And fill in the final entries. */
4033 while (last < (num << 8))
4034 {
4035 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4036 last++;
4037 }
4038 }
4039 #endif /* 16BIT */
4040
4041 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4042 * typically much faster). Note that libpng currently does no sBIT processing
4043 * (apparently contrary to the spec) so a 256-entry table is always generated.
4044 */
4045 static void
4046 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4047 PNG_CONST png_fixed_point gamma_val)
4048 {
4049 unsigned int i;
4050 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4051
4052 if (png_gamma_significant(gamma_val) != 0)
4053 for (i=0; i<256; i++)
4054 table[i] = png_gamma_8bit_correct(i, gamma_val);
4055
4056 else
4057 for (i=0; i<256; ++i)
4058 table[i] = (png_byte)(i & 0xff);
4059 }
4060
4061 /* Used from png_read_destroy and below to release the memory used by the gamma
4062 * tables.
4063 */
4064 void /* PRIVATE */
4065 png_destroy_gamma_table(png_structrp png_ptr)
4066 {
4067 png_free(png_ptr, png_ptr->gamma_table);
4068 png_ptr->gamma_table = NULL;
4069
4070 #ifdef PNG_16BIT_SUPPORTED
4071 if (png_ptr->gamma_16_table != NULL)
4072 {
4073 int i;
4074 int istop = (1 << (8 - png_ptr->gamma_shift));
4075 for (i = 0; i < istop; i++)
4076 {
4077 png_free(png_ptr, png_ptr->gamma_16_table[i]);
4078 }
4079 png_free(png_ptr, png_ptr->gamma_16_table);
4080 png_ptr->gamma_16_table = NULL;
4081 }
4082 #endif /* 16BIT */
4083
4084 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4085 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4086 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4087 png_free(png_ptr, png_ptr->gamma_from_1);
4088 png_ptr->gamma_from_1 = NULL;
4089 png_free(png_ptr, png_ptr->gamma_to_1);
4090 png_ptr->gamma_to_1 = NULL;
4091
4092 #ifdef PNG_16BIT_SUPPORTED
4093 if (png_ptr->gamma_16_from_1 != NULL)
4094 {
4095 int i;
4096 int istop = (1 << (8 - png_ptr->gamma_shift));
4097 for (i = 0; i < istop; i++)
4098 {
4099 png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4100 }
4101 png_free(png_ptr, png_ptr->gamma_16_from_1);
4102 png_ptr->gamma_16_from_1 = NULL;
4103 }
4104 if (png_ptr->gamma_16_to_1 != NULL)
4105 {
4106 int i;
4107 int istop = (1 << (8 - png_ptr->gamma_shift));
4108 for (i = 0; i < istop; i++)
4109 {
4110 png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4111 }
4112 png_free(png_ptr, png_ptr->gamma_16_to_1);
4113 png_ptr->gamma_16_to_1 = NULL;
4114 }
4115 #endif /* 16BIT */
4116 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4117 }
4118
4119 /* We build the 8- or 16-bit gamma tables here. Note that for 16-bit
4120 * tables, we don't make a full table if we are reducing to 8-bit in
4121 * the future. Note also how the gamma_16 tables are segmented so that
4122 * we don't need to allocate > 64K chunks for a full 16-bit table.
4123 */
4124 void /* PRIVATE */
4125 png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4126 {
4127 png_debug(1, "in png_build_gamma_table");
4128
4129 /* Remove any existing table; this copes with multiple calls to
4130 * png_read_update_info. The warning is because building the gamma tables
4131 * multiple times is a performance hit - it's harmless but the ability to
4132 * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4133 * sensible to warn if the app introduces such a hit.
4134 */
4135 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4136 {
4137 png_warning(png_ptr, "gamma table being rebuilt");
4138 png_destroy_gamma_table(png_ptr);
4139 }
4140
4141 if (bit_depth <= 8)
4142 {
4143 png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4144 png_ptr->screen_gamma > 0 ?
4145 png_reciprocal2(png_ptr->colorspace.gamma,
4146 png_ptr->screen_gamma) : PNG_FP_1);
4147
4148 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4149 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4150 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4151 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4152 {
4153 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4154 png_reciprocal(png_ptr->colorspace.gamma));
4155
4156 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4157 png_ptr->screen_gamma > 0 ?
4158 png_reciprocal(png_ptr->screen_gamma) :
4159 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4160 }
4161 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4162 }
4163 #ifdef PNG_16BIT_SUPPORTED
4164 else
4165 {
4166 png_byte shift, sig_bit;
4167
4168 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4169 {
4170 sig_bit = png_ptr->sig_bit.red;
4171
4172 if (png_ptr->sig_bit.green > sig_bit)
4173 sig_bit = png_ptr->sig_bit.green;
4174
4175 if (png_ptr->sig_bit.blue > sig_bit)
4176 sig_bit = png_ptr->sig_bit.blue;
4177 }
4178 else
4179 sig_bit = png_ptr->sig_bit.gray;
4180
4181 /* 16-bit gamma code uses this equation:
4182 *
4183 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4184 *
4185 * Where 'iv' is the input color value and 'ov' is the output value -
4186 * pow(iv, gamma).
4187 *
4188 * Thus the gamma table consists of up to 256 256-entry tables. The table
4189 * is selected by the (8-gamma_shift) most significant of the low 8 bits
4190 * of the color value then indexed by the upper 8 bits:
4191 *
4192 * table[low bits][high 8 bits]
4193 *
4194 * So the table 'n' corresponds to all those 'iv' of:
4195 *
4196 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4197 *
4198 */
4199 if (sig_bit > 0 && sig_bit < 16U)
4200 /* shift == insignificant bits */
4201 shift = (png_byte)((16U - sig_bit) & 0xff);
4202
4203 else
4204 shift = 0; /* keep all 16 bits */
4205
4206 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4207 {
4208 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4209 * the significant bits in the *input* when the output will
4210 * eventually be 8 bits. By default it is 11.
4211 */
4212 if (shift < (16U - PNG_MAX_GAMMA_8))
4213 shift = (16U - PNG_MAX_GAMMA_8);
4214 }
4215
4216 if (shift > 8U)
4217 shift = 8U; /* Guarantees at least one table! */
4218
4219 png_ptr->gamma_shift = shift;
4220
4221 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4222 * PNG_COMPOSE). This effectively smashed the background calculation for
4223 * 16-bit output because the 8-bit table assumes the result will be
4224 * reduced to 8 bits.
4225 */
4226 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4227 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4228 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4229 png_ptr->screen_gamma) : PNG_FP_1);
4230
4231 else
4232 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4233 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4234 png_ptr->screen_gamma) : PNG_FP_1);
4235
4236 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4237 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4238 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4239 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4240 {
4241 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4242 png_reciprocal(png_ptr->colorspace.gamma));
4243
4244 /* Notice that the '16 from 1' table should be full precision, however
4245 * the lookup on this table still uses gamma_shift, so it can't be.
4246 * TODO: fix this.
4247 */
4248 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4249 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4250 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4251 }
4252 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4253 }
4254 #endif /* 16BIT */
4255 }
4256 #endif /* READ_GAMMA */
4257
4258 /* HARDWARE OR SOFTWARE OPTION SUPPORT */
4259 #ifdef PNG_SET_OPTION_SUPPORTED
4260 int PNGAPI
4261 png_set_option(png_structrp png_ptr, int option, int onoff)
4262 {
4263 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4264 (option & 1) == 0)
4265 {
4266 int mask = 3 << option;
4267 int setting = (2 + (onoff != 0)) << option;
4268 int current = png_ptr->options;
4269
4270 png_ptr->options = (png_byte)(((current & ~mask) | setting) & 0xff);
4271
4272 return (current & mask) >> option;
4273 }
4274
4275 return PNG_OPTION_INVALID;
4276 }
4277 #endif
4278
4279 /* sRGB support */
4280 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4281 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4282 /* sRGB conversion tables; these are machine generated with the code in
4283 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
4284 * specification (see the article at http://en.wikipedia.org/wiki/SRGB)
4285 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4286 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4287 * The inverse (linear to sRGB) table has accuracies as follows:
4288 *
4289 * For all possible (255*65535+1) input values:
4290 *
4291 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4292 *
4293 * For the input values corresponding to the 65536 16-bit values:
4294 *
4295 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4296 *
4297 * In all cases the inexact readings are only off by one.
4298 */
4299
4300 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4301 /* The convert-to-sRGB table is only currently required for read. */
4302 const png_uint_16 png_sRGB_table[256] =
4303 {
4304 0,20,40,60,80,99,119,139,
4305 159,179,199,219,241,264,288,313,
4306 340,367,396,427,458,491,526,562,
4307 599,637,677,718,761,805,851,898,
4308 947,997,1048,1101,1156,1212,1270,1330,
4309 1391,1453,1517,1583,1651,1720,1790,1863,
4310 1937,2013,2090,2170,2250,2333,2418,2504,
4311 2592,2681,2773,2866,2961,3058,3157,3258,
4312 3360,3464,3570,3678,3788,3900,4014,4129,
4313 4247,4366,4488,4611,4736,4864,4993,5124,
4314 5257,5392,5530,5669,5810,5953,6099,6246,
4315 6395,6547,6700,6856,7014,7174,7335,7500,
4316 7666,7834,8004,8177,8352,8528,8708,8889,
4317 9072,9258,9445,9635,9828,10022,10219,10417,
4318 10619,10822,11028,11235,11446,11658,11873,12090,
4319 12309,12530,12754,12980,13209,13440,13673,13909,
4320 14146,14387,14629,14874,15122,15371,15623,15878,
4321 16135,16394,16656,16920,17187,17456,17727,18001,
4322 18277,18556,18837,19121,19407,19696,19987,20281,
4323 20577,20876,21177,21481,21787,22096,22407,22721,
4324 23038,23357,23678,24002,24329,24658,24990,25325,
4325 25662,26001,26344,26688,27036,27386,27739,28094,
4326 28452,28813,29176,29542,29911,30282,30656,31033,
4327 31412,31794,32179,32567,32957,33350,33745,34143,
4328 34544,34948,35355,35764,36176,36591,37008,37429,
4329 37852,38278,38706,39138,39572,40009,40449,40891,
4330 41337,41785,42236,42690,43147,43606,44069,44534,
4331 45002,45473,45947,46423,46903,47385,47871,48359,
4332 48850,49344,49841,50341,50844,51349,51858,52369,
4333 52884,53401,53921,54445,54971,55500,56032,56567,
4334 57105,57646,58190,58737,59287,59840,60396,60955,
4335 61517,62082,62650,63221,63795,64372,64952,65535
4336 };
4337 #endif /* SIMPLIFIED_READ */
4338
4339 /* The base/delta tables are required for both read and write (but currently
4340 * only the simplified versions.)
4341 */
4342 const png_uint_16 png_sRGB_base[512] =
4343 {
4344 128,1782,3383,4644,5675,6564,7357,8074,
4345 8732,9346,9921,10463,10977,11466,11935,12384,
4346 12816,13233,13634,14024,14402,14769,15125,15473,
4347 15812,16142,16466,16781,17090,17393,17690,17981,
4348 18266,18546,18822,19093,19359,19621,19879,20133,
4349 20383,20630,20873,21113,21349,21583,21813,22041,
4350 22265,22487,22707,22923,23138,23350,23559,23767,
4351 23972,24175,24376,24575,24772,24967,25160,25352,
4352 25542,25730,25916,26101,26284,26465,26645,26823,
4353 27000,27176,27350,27523,27695,27865,28034,28201,
4354 28368,28533,28697,28860,29021,29182,29341,29500,
4355 29657,29813,29969,30123,30276,30429,30580,30730,
4356 30880,31028,31176,31323,31469,31614,31758,31902,
4357 32045,32186,32327,32468,32607,32746,32884,33021,
4358 33158,33294,33429,33564,33697,33831,33963,34095,
4359 34226,34357,34486,34616,34744,34873,35000,35127,
4360 35253,35379,35504,35629,35753,35876,35999,36122,
4361 36244,36365,36486,36606,36726,36845,36964,37083,
4362 37201,37318,37435,37551,37668,37783,37898,38013,
4363 38127,38241,38354,38467,38580,38692,38803,38915,
4364 39026,39136,39246,39356,39465,39574,39682,39790,
4365 39898,40005,40112,40219,40325,40431,40537,40642,
4366 40747,40851,40955,41059,41163,41266,41369,41471,
4367 41573,41675,41777,41878,41979,42079,42179,42279,
4368 42379,42478,42577,42676,42775,42873,42971,43068,
4369 43165,43262,43359,43456,43552,43648,43743,43839,
4370 43934,44028,44123,44217,44311,44405,44499,44592,
4371 44685,44778,44870,44962,45054,45146,45238,45329,
4372 45420,45511,45601,45692,45782,45872,45961,46051,
4373 46140,46229,46318,46406,46494,46583,46670,46758,
4374 46846,46933,47020,47107,47193,47280,47366,47452,
4375 47538,47623,47709,47794,47879,47964,48048,48133,
4376 48217,48301,48385,48468,48552,48635,48718,48801,
4377 48884,48966,49048,49131,49213,49294,49376,49458,
4378 49539,49620,49701,49782,49862,49943,50023,50103,
4379 50183,50263,50342,50422,50501,50580,50659,50738,
4380 50816,50895,50973,51051,51129,51207,51285,51362,
4381 51439,51517,51594,51671,51747,51824,51900,51977,
4382 52053,52129,52205,52280,52356,52432,52507,52582,
4383 52657,52732,52807,52881,52956,53030,53104,53178,
4384 53252,53326,53400,53473,53546,53620,53693,53766,
4385 53839,53911,53984,54056,54129,54201,54273,54345,
4386 54417,54489,54560,54632,54703,54774,54845,54916,
4387 54987,55058,55129,55199,55269,55340,55410,55480,
4388 55550,55620,55689,55759,55828,55898,55967,56036,
4389 56105,56174,56243,56311,56380,56448,56517,56585,
4390 56653,56721,56789,56857,56924,56992,57059,57127,
4391 57194,57261,57328,57395,57462,57529,57595,57662,
4392 57728,57795,57861,57927,57993,58059,58125,58191,
4393 58256,58322,58387,58453,58518,58583,58648,58713,
4394 58778,58843,58908,58972,59037,59101,59165,59230,
4395 59294,59358,59422,59486,59549,59613,59677,59740,
4396 59804,59867,59930,59993,60056,60119,60182,60245,
4397 60308,60370,60433,60495,60558,60620,60682,60744,
4398 60806,60868,60930,60992,61054,61115,61177,61238,
4399 61300,61361,61422,61483,61544,61605,61666,61727,
4400 61788,61848,61909,61969,62030,62090,62150,62211,
4401 62271,62331,62391,62450,62510,62570,62630,62689,
4402 62749,62808,62867,62927,62986,63045,63104,63163,
4403 63222,63281,63340,63398,63457,63515,63574,63632,
4404 63691,63749,63807,63865,63923,63981,64039,64097,
4405 64155,64212,64270,64328,64385,64443,64500,64557,
4406 64614,64672,64729,64786,64843,64900,64956,65013,
4407 65070,65126,65183,65239,65296,65352,65409,65465
4408 };
4409
4410 const png_byte png_sRGB_delta[512] =
4411 {
4412 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4413 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4414 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4415 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4416 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4417 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4418 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4419 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4420 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4421 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4422 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4423 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4424 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4425 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4426 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4427 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4428 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4429 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4430 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4431 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4432 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4433 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4434 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4435 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4436 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4437 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4438 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4439 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4440 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4441 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4442 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4443 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4444 };
4445 #endif /* SIMPLIFIED READ/WRITE sRGB support */
4446
4447 /* SIMPLIFIED READ/WRITE SUPPORT */
4448 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4449 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4450 static int
4451 png_image_free_function(png_voidp argument)
4452 {
4453 png_imagep image = png_voidcast(png_imagep, argument);
4454 png_controlp cp = image->opaque;
4455 png_control c;
4456
4457 /* Double check that we have a png_ptr - it should be impossible to get here
4458 * without one.
4459 */
4460 if (cp->png_ptr == NULL)
4461 return 0;
4462
4463 /* First free any data held in the control structure. */
4464 # ifdef PNG_STDIO_SUPPORTED
4465 if (cp->owned_file != 0)
4466 {
4467 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4468 cp->owned_file = 0;
4469
4470 /* Ignore errors here. */
4471 if (fp != NULL)
4472 {
4473 cp->png_ptr->io_ptr = NULL;
4474 (void)fclose(fp);
4475 }
4476 }
4477 # endif
4478
4479 /* Copy the control structure so that the original, allocated, version can be
4480 * safely freed. Notice that a png_error here stops the remainder of the
4481 * cleanup, but this is probably fine because that would indicate bad memory
4482 * problems anyway.
4483 */
4484 c = *cp;
4485 image->opaque = &c;
4486 png_free(c.png_ptr, cp);
4487
4488 /* Then the structures, calling the correct API. */
4489 if (c.for_write != 0)
4490 {
4491 # ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4492 png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4493 # else
4494 png_error(c.png_ptr, "simplified write not supported");
4495 # endif
4496 }
4497 else
4498 {
4499 # ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4500 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4501 # else
4502 png_error(c.png_ptr, "simplified read not supported");
4503 # endif
4504 }
4505
4506 /* Success. */
4507 return 1;
4508 }
4509
4510 void PNGAPI
4511 png_image_free(png_imagep image)
4512 {
4513 /* Safely call the real function, but only if doing so is safe at this point
4514 * (if not inside an error handling context). Otherwise assume
4515 * png_safe_execute will call this API after the return.
4516 */
4517 if (image != NULL && image->opaque != NULL &&
4518 image->opaque->error_buf == NULL)
4519 {
4520 /* Ignore errors here: */
4521 (void)png_safe_execute(image, png_image_free_function, image);
4522 image->opaque = NULL;
4523 }
4524 }
4525
4526 int /* PRIVATE */
4527 png_image_error(png_imagep image, png_const_charp error_message)
4528 {
4529 /* Utility to log an error. */
4530 png_safecat(image->message, (sizeof image->message), 0, error_message);
4531 image->warning_or_error |= PNG_IMAGE_ERROR;
4532 png_image_free(image);
4533 return 0;
4534 }
4535
4536 #endif /* SIMPLIFIED READ/WRITE */
4537 #endif /* READ || WRITE */
4538