1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 *
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "ImageLogging.h" // Must appear first
8 #include "nsPNGDecoder.h"
9
10 #include <algorithm>
11 #include <cstdint>
12
13 #include "gfxColor.h"
14 #include "gfxPlatform.h"
15 #include "imgFrame.h"
16 #include "nsColor.h"
17 #include "nsMemory.h"
18 #include "nsRect.h"
19 #include "nspr.h"
20 #include "png.h"
21
22 #include "RasterImage.h"
23 #include "SurfaceCache.h"
24 #include "SurfacePipeFactory.h"
25 #include "mozilla/DebugOnly.h"
26 #include "mozilla/Telemetry.h"
27
28 using namespace mozilla::gfx;
29
30 using std::min;
31
32 namespace mozilla {
33 namespace image {
34
35 static LazyLogModule sPNGLog("PNGDecoder");
36 static LazyLogModule sPNGDecoderAccountingLog("PNGDecoderAccounting");
37
38 // limit image dimensions (bug #251381, #591822, #967656, and #1283961)
39 #ifndef MOZ_PNG_MAX_WIDTH
40 # define MOZ_PNG_MAX_WIDTH 0x7fffffff // Unlimited
41 #endif
42 #ifndef MOZ_PNG_MAX_HEIGHT
43 # define MOZ_PNG_MAX_HEIGHT 0x7fffffff // Unlimited
44 #endif
45
46 /* Controls the maximum chunk size configuration for libpng. We set this to a
47 * very large number, 256MB specifically. */
48 static constexpr png_alloc_size_t kPngMaxChunkSize = 0x10000000;
49
AnimFrameInfo()50 nsPNGDecoder::AnimFrameInfo::AnimFrameInfo()
51 : mDispose(DisposalMethod::KEEP), mBlend(BlendMethod::OVER), mTimeout(0) {}
52
53 #ifdef PNG_APNG_SUPPORTED
54
GetNextFrameDelay(png_structp aPNG,png_infop aInfo)55 int32_t GetNextFrameDelay(png_structp aPNG, png_infop aInfo) {
56 // Delay, in seconds, is delayNum / delayDen.
57 png_uint_16 delayNum = png_get_next_frame_delay_num(aPNG, aInfo);
58 png_uint_16 delayDen = png_get_next_frame_delay_den(aPNG, aInfo);
59
60 if (delayNum == 0) {
61 return 0; // SetFrameTimeout() will set to a minimum.
62 }
63
64 if (delayDen == 0) {
65 delayDen = 100; // So says the APNG spec.
66 }
67
68 // Need to cast delay_num to float to have a proper division and
69 // the result to int to avoid a compiler warning.
70 return static_cast<int32_t>(static_cast<double>(delayNum) * 1000 / delayDen);
71 }
72
AnimFrameInfo(png_structp aPNG,png_infop aInfo)73 nsPNGDecoder::AnimFrameInfo::AnimFrameInfo(png_structp aPNG, png_infop aInfo)
74 : mDispose(DisposalMethod::KEEP), mBlend(BlendMethod::OVER), mTimeout(0) {
75 png_byte dispose_op = png_get_next_frame_dispose_op(aPNG, aInfo);
76 png_byte blend_op = png_get_next_frame_blend_op(aPNG, aInfo);
77
78 if (dispose_op == PNG_DISPOSE_OP_PREVIOUS) {
79 mDispose = DisposalMethod::RESTORE_PREVIOUS;
80 } else if (dispose_op == PNG_DISPOSE_OP_BACKGROUND) {
81 mDispose = DisposalMethod::CLEAR;
82 } else {
83 mDispose = DisposalMethod::KEEP;
84 }
85
86 if (blend_op == PNG_BLEND_OP_SOURCE) {
87 mBlend = BlendMethod::SOURCE;
88 } else {
89 mBlend = BlendMethod::OVER;
90 }
91
92 mTimeout = GetNextFrameDelay(aPNG, aInfo);
93 }
94 #endif
95
96 // First 8 bytes of a PNG file
97 const uint8_t nsPNGDecoder::pngSignatureBytes[] = {137, 80, 78, 71,
98 13, 10, 26, 10};
99
nsPNGDecoder(RasterImage * aImage)100 nsPNGDecoder::nsPNGDecoder(RasterImage* aImage)
101 : Decoder(aImage),
102 mLexer(Transition::ToUnbuffered(State::FINISHED_PNG_DATA, State::PNG_DATA,
103 SIZE_MAX),
104 Transition::TerminateSuccess()),
105 mNextTransition(Transition::ContinueUnbuffered(State::PNG_DATA)),
106 mLastChunkLength(0),
107 mPNG(nullptr),
108 mInfo(nullptr),
109 mCMSLine(nullptr),
110 interlacebuf(nullptr),
111 mFormat(SurfaceFormat::UNKNOWN),
112 mChannels(0),
113 mPass(0),
114 mFrameIsHidden(false),
115 mDisablePremultipliedAlpha(false),
116 mGotInfoCallback(false),
117 mUsePipeTransform(false),
118 mNumFrames(0) {}
119
~nsPNGDecoder()120 nsPNGDecoder::~nsPNGDecoder() {
121 if (mPNG) {
122 png_destroy_read_struct(&mPNG, mInfo ? &mInfo : nullptr, nullptr);
123 }
124 if (mCMSLine) {
125 free(mCMSLine);
126 }
127 if (interlacebuf) {
128 free(interlacebuf);
129 }
130 }
131
GetTransparencyType(const OrientedIntRect & aFrameRect)132 nsPNGDecoder::TransparencyType nsPNGDecoder::GetTransparencyType(
133 const OrientedIntRect& aFrameRect) {
134 // Check if the image has a transparent color in its palette.
135 if (HasAlphaChannel()) {
136 return TransparencyType::eAlpha;
137 }
138 if (!aFrameRect.IsEqualEdges(FullFrame())) {
139 MOZ_ASSERT(HasAnimation());
140 return TransparencyType::eFrameRect;
141 }
142
143 return TransparencyType::eNone;
144 }
145
PostHasTransparencyIfNeeded(TransparencyType aTransparencyType)146 void nsPNGDecoder::PostHasTransparencyIfNeeded(
147 TransparencyType aTransparencyType) {
148 switch (aTransparencyType) {
149 case TransparencyType::eNone:
150 return;
151
152 case TransparencyType::eAlpha:
153 PostHasTransparency();
154 return;
155
156 case TransparencyType::eFrameRect:
157 // If the first frame of animated image doesn't draw into the whole image,
158 // then record that it is transparent. For subsequent frames, this doesn't
159 // affect transparency, because they're composited on top of all previous
160 // frames.
161 if (mNumFrames == 0) {
162 PostHasTransparency();
163 }
164 return;
165 }
166 }
167
168 // CreateFrame() is used for both simple and animated images.
CreateFrame(const FrameInfo & aFrameInfo)169 nsresult nsPNGDecoder::CreateFrame(const FrameInfo& aFrameInfo) {
170 MOZ_ASSERT(HasSize());
171 MOZ_ASSERT(!IsMetadataDecode());
172
173 // Check if we have transparency, and send notifications if needed.
174 auto transparency = GetTransparencyType(aFrameInfo.mFrameRect);
175 PostHasTransparencyIfNeeded(transparency);
176 mFormat = transparency == TransparencyType::eNone ? SurfaceFormat::OS_RGBX
177 : SurfaceFormat::OS_RGBA;
178
179 // Make sure there's no animation or padding if we're downscaling.
180 MOZ_ASSERT_IF(Size() != OutputSize(), mNumFrames == 0);
181 MOZ_ASSERT_IF(Size() != OutputSize(), !GetImageMetadata().HasAnimation());
182 MOZ_ASSERT_IF(Size() != OutputSize(),
183 transparency != TransparencyType::eFrameRect);
184
185 Maybe<AnimationParams> animParams;
186 #ifdef PNG_APNG_SUPPORTED
187 if (!IsFirstFrameDecode() && png_get_valid(mPNG, mInfo, PNG_INFO_acTL)) {
188 mAnimInfo = AnimFrameInfo(mPNG, mInfo);
189
190 if (mAnimInfo.mDispose == DisposalMethod::CLEAR) {
191 // We may have to display the background under this image during
192 // animation playback, so we regard it as transparent.
193 PostHasTransparency();
194 }
195
196 animParams.emplace(
197 AnimationParams{aFrameInfo.mFrameRect.ToUnknownRect(),
198 FrameTimeout::FromRawMilliseconds(mAnimInfo.mTimeout),
199 mNumFrames, mAnimInfo.mBlend, mAnimInfo.mDispose});
200 }
201 #endif
202
203 // If this image is interlaced, we can display better quality intermediate
204 // results to the user by post processing them with ADAM7InterpolatingFilter.
205 SurfacePipeFlags pipeFlags = aFrameInfo.mIsInterlaced
206 ? SurfacePipeFlags::ADAM7_INTERPOLATE
207 : SurfacePipeFlags();
208
209 if (mNumFrames == 0) {
210 // The first frame may be displayed progressively.
211 pipeFlags |= SurfacePipeFlags::PROGRESSIVE_DISPLAY;
212 }
213
214 SurfaceFormat inFormat;
215 if (mTransform && !mUsePipeTransform) {
216 // QCMS will output in the correct format.
217 inFormat = mFormat;
218 } else if (transparency == TransparencyType::eAlpha) {
219 // We are outputting directly as RGBA, so we need to swap at this step.
220 inFormat = SurfaceFormat::R8G8B8A8;
221 } else {
222 // We have no alpha channel, so we need to unpack from RGB to BGRA.
223 inFormat = SurfaceFormat::R8G8B8;
224 }
225
226 // Only apply premultiplication if the frame has true alpha. If we ever
227 // support downscaling animated images, we will need to premultiply for frame
228 // rect transparency when downscaling as well.
229 if (transparency == TransparencyType::eAlpha && !mDisablePremultipliedAlpha) {
230 pipeFlags |= SurfacePipeFlags::PREMULTIPLY_ALPHA;
231 }
232
233 qcms_transform* pipeTransform = mUsePipeTransform ? mTransform : nullptr;
234 Maybe<SurfacePipe> pipe = SurfacePipeFactory::CreateSurfacePipe(
235 this, Size(), OutputSize(), aFrameInfo.mFrameRect, inFormat, mFormat,
236 animParams, pipeTransform, pipeFlags);
237
238 if (!pipe) {
239 mPipe = SurfacePipe();
240 return NS_ERROR_FAILURE;
241 }
242
243 mPipe = std::move(*pipe);
244
245 mFrameRect = aFrameInfo.mFrameRect;
246 mPass = 0;
247
248 MOZ_LOG(sPNGDecoderAccountingLog, LogLevel::Debug,
249 ("PNGDecoderAccounting: nsPNGDecoder::CreateFrame -- created "
250 "image frame with %dx%d pixels for decoder %p",
251 mFrameRect.Width(), mFrameRect.Height(), this));
252
253 return NS_OK;
254 }
255
256 // set timeout and frame disposal method for the current frame
EndImageFrame()257 void nsPNGDecoder::EndImageFrame() {
258 if (mFrameIsHidden) {
259 return;
260 }
261
262 mNumFrames++;
263
264 Opacity opacity = mFormat == SurfaceFormat::OS_RGBX
265 ? Opacity::FULLY_OPAQUE
266 : Opacity::SOME_TRANSPARENCY;
267
268 PostFrameStop(opacity);
269 }
270
InitInternal()271 nsresult nsPNGDecoder::InitInternal() {
272 mDisablePremultipliedAlpha =
273 bool(GetSurfaceFlags() & SurfaceFlags::NO_PREMULTIPLY_ALPHA);
274
275 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
276 static png_byte color_chunks[] = {99, 72, 82, 77, '\0', // cHRM
277 105, 67, 67, 80, '\0'}; // iCCP
278 static png_byte unused_chunks[] = {98, 75, 71, 68, '\0', // bKGD
279 101, 88, 73, 102, '\0', // eXIf
280 104, 73, 83, 84, '\0', // hIST
281 105, 84, 88, 116, '\0', // iTXt
282 111, 70, 70, 115, '\0', // oFFs
283 112, 67, 65, 76, '\0', // pCAL
284 115, 67, 65, 76, '\0', // sCAL
285 112, 72, 89, 115, '\0', // pHYs
286 115, 66, 73, 84, '\0', // sBIT
287 115, 80, 76, 84, '\0', // sPLT
288 116, 69, 88, 116, '\0', // tEXt
289 116, 73, 77, 69, '\0', // tIME
290 122, 84, 88, 116, '\0'}; // zTXt
291 #endif
292
293 // Initialize the container's source image header
294 // Always decode to 24 bit pixdepth
295
296 mPNG = png_create_read_struct(PNG_LIBPNG_VER_STRING, nullptr,
297 nsPNGDecoder::error_callback,
298 nsPNGDecoder::warning_callback);
299 if (!mPNG) {
300 return NS_ERROR_OUT_OF_MEMORY;
301 }
302
303 mInfo = png_create_info_struct(mPNG);
304 if (!mInfo) {
305 png_destroy_read_struct(&mPNG, nullptr, nullptr);
306 return NS_ERROR_OUT_OF_MEMORY;
307 }
308
309 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
310 // Ignore unused chunks
311 if (mCMSMode == CMSMode::Off || IsMetadataDecode()) {
312 png_set_keep_unknown_chunks(mPNG, 1, color_chunks, 2);
313 }
314
315 png_set_keep_unknown_chunks(mPNG, 1, unused_chunks,
316 (int)sizeof(unused_chunks) / 5);
317 #endif
318
319 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
320 png_set_user_limits(mPNG, MOZ_PNG_MAX_WIDTH, MOZ_PNG_MAX_HEIGHT);
321 png_set_chunk_malloc_max(mPNG, kPngMaxChunkSize);
322 #endif
323
324 #ifdef PNG_READ_CHECK_FOR_INVALID_INDEX_SUPPORTED
325 // Disallow palette-index checking, for speed; we would ignore the warning
326 // anyhow. This feature was added at libpng version 1.5.10 and is disabled
327 // in the embedded libpng but enabled by default in the system libpng. This
328 // call also disables it in the system libpng, for decoding speed.
329 // Bug #745202.
330 png_set_check_for_invalid_index(mPNG, 0);
331 #endif
332
333 #ifdef PNG_SET_OPTION_SUPPORTED
334 # if defined(PNG_sRGB_PROFILE_CHECKS) && PNG_sRGB_PROFILE_CHECKS >= 0
335 // Skip checking of sRGB ICC profiles
336 png_set_option(mPNG, PNG_SKIP_sRGB_CHECK_PROFILE, PNG_OPTION_ON);
337 # endif
338
339 # ifdef PNG_MAXIMUM_INFLATE_WINDOW
340 // Force a larger zlib inflate window as some images in the wild have
341 // incorrectly set metadata (specifically CMF bits) which prevent us from
342 // decoding them otherwise.
343 png_set_option(mPNG, PNG_MAXIMUM_INFLATE_WINDOW, PNG_OPTION_ON);
344 # endif
345 #endif
346
347 // use this as libpng "progressive pointer" (retrieve in callbacks)
348 png_set_progressive_read_fn(
349 mPNG, static_cast<png_voidp>(this), nsPNGDecoder::info_callback,
350 nsPNGDecoder::row_callback, nsPNGDecoder::end_callback);
351
352 return NS_OK;
353 }
354
DoDecode(SourceBufferIterator & aIterator,IResumable * aOnResume)355 LexerResult nsPNGDecoder::DoDecode(SourceBufferIterator& aIterator,
356 IResumable* aOnResume) {
357 MOZ_ASSERT(!HasError(), "Shouldn't call DoDecode after error!");
358
359 LexerResult res = mLexer.Lex(aIterator, aOnResume,
360 [=](State aState, const char* aData, size_t aLength) {
361 switch (aState) {
362 case State::PNG_DATA:
363 return ReadPNGData(aData, aLength);
364 case State::FINISHED_PNG_DATA:
365 return FinishedPNGData();
366 }
367 MOZ_CRASH("Unknown State");
368 });
369
370 #if MOZ_BIG_ENDIAN()
371 if(res.is<TerminalState>() && res.as<TerminalState>() == TerminalState::SUCCESS) {
372 NativeEndian::swapToLittleEndianInPlace<uint32_t>((uint32_t*)(mImageData), mImageDataLength / 4);
373 }
374 #endif
375
376 return res;
377 }
378
ReadPNGData(const char * aData,size_t aLength)379 LexerTransition<nsPNGDecoder::State> nsPNGDecoder::ReadPNGData(
380 const char* aData, size_t aLength) {
381 // If we were waiting until after returning from a yield to call
382 // CreateFrame(), call it now.
383 if (mNextFrameInfo) {
384 if (NS_FAILED(CreateFrame(*mNextFrameInfo))) {
385 return Transition::TerminateFailure();
386 }
387
388 MOZ_ASSERT(mImageData, "Should have a buffer now");
389 mNextFrameInfo = Nothing();
390 }
391
392 // libpng uses setjmp/longjmp for error handling.
393 if (setjmp(png_jmpbuf(mPNG))) {
394 return Transition::TerminateFailure();
395 }
396
397 // Pass the data off to libpng.
398 mLastChunkLength = aLength;
399 mNextTransition = Transition::ContinueUnbuffered(State::PNG_DATA);
400 png_process_data(mPNG, mInfo,
401 reinterpret_cast<unsigned char*>(const_cast<char*>((aData))),
402 aLength);
403
404 // Make sure that we've reached a terminal state if decoding is done.
405 MOZ_ASSERT_IF(GetDecodeDone(), mNextTransition.NextStateIsTerminal());
406 MOZ_ASSERT_IF(HasError(), mNextTransition.NextStateIsTerminal());
407
408 // Continue with whatever transition the callback code requested. We
409 // initialized this to Transition::ContinueUnbuffered(State::PNG_DATA) above,
410 // so by default we just continue the unbuffered read.
411 return mNextTransition;
412 }
413
FinishedPNGData()414 LexerTransition<nsPNGDecoder::State> nsPNGDecoder::FinishedPNGData() {
415 // Since we set up an unbuffered read for SIZE_MAX bytes, if we actually read
416 // all that data something is really wrong.
417 MOZ_ASSERT_UNREACHABLE("Read the entire address space?");
418 return Transition::TerminateFailure();
419 }
420
421 // Sets up gamma pre-correction in libpng before our callback gets called.
422 // We need to do this if we don't end up with a CMS profile.
PNGDoGammaCorrection(png_structp png_ptr,png_infop info_ptr)423 static void PNGDoGammaCorrection(png_structp png_ptr, png_infop info_ptr) {
424 double aGamma;
425
426 if (png_get_gAMA(png_ptr, info_ptr, &aGamma)) {
427 if ((aGamma <= 0.0) || (aGamma > 21474.83)) {
428 aGamma = 0.45455;
429 png_set_gAMA(png_ptr, info_ptr, aGamma);
430 }
431 png_set_gamma(png_ptr, 2.2, aGamma);
432 } else {
433 png_set_gamma(png_ptr, 2.2, 0.45455);
434 }
435 }
436
437 // Adapted from http://www.littlecms.com/pngchrm.c example code
ReadColorProfile(png_structp png_ptr,png_infop info_ptr,int color_type,bool * sRGBTag)438 uint32_t nsPNGDecoder::ReadColorProfile(png_structp png_ptr, png_infop info_ptr,
439 int color_type, bool* sRGBTag) {
440 // First try to see if iCCP chunk is present
441 if (png_get_valid(png_ptr, info_ptr, PNG_INFO_iCCP)) {
442 png_uint_32 profileLen;
443 png_bytep profileData;
444 png_charp profileName;
445 int compression;
446
447 png_get_iCCP(png_ptr, info_ptr, &profileName, &compression, &profileData,
448 &profileLen);
449
450 mInProfile = qcms_profile_from_memory((char*)profileData, profileLen);
451 if (mInProfile) {
452 uint32_t profileSpace = qcms_profile_get_color_space(mInProfile);
453
454 bool mismatch = false;
455 if (color_type & PNG_COLOR_MASK_COLOR) {
456 if (profileSpace != icSigRgbData) {
457 mismatch = true;
458 }
459 } else {
460 if (profileSpace == icSigRgbData) {
461 png_set_gray_to_rgb(png_ptr);
462 } else if (profileSpace != icSigGrayData) {
463 mismatch = true;
464 }
465 }
466
467 if (mismatch) {
468 qcms_profile_release(mInProfile);
469 mInProfile = nullptr;
470 } else {
471 return qcms_profile_get_rendering_intent(mInProfile);
472 }
473 }
474 }
475
476 // Check sRGB chunk
477 if (png_get_valid(png_ptr, info_ptr, PNG_INFO_sRGB)) {
478 *sRGBTag = true;
479
480 int fileIntent;
481 png_set_gray_to_rgb(png_ptr);
482 png_get_sRGB(png_ptr, info_ptr, &fileIntent);
483 uint32_t map[] = {QCMS_INTENT_PERCEPTUAL, QCMS_INTENT_RELATIVE_COLORIMETRIC,
484 QCMS_INTENT_SATURATION,
485 QCMS_INTENT_ABSOLUTE_COLORIMETRIC};
486 return map[fileIntent];
487 }
488
489 // Check gAMA/cHRM chunks
490 if (png_get_valid(png_ptr, info_ptr, PNG_INFO_gAMA) &&
491 png_get_valid(png_ptr, info_ptr, PNG_INFO_cHRM)) {
492 qcms_CIE_xyYTRIPLE primaries;
493 qcms_CIE_xyY whitePoint;
494
495 png_get_cHRM(png_ptr, info_ptr, &whitePoint.x, &whitePoint.y,
496 &primaries.red.x, &primaries.red.y, &primaries.green.x,
497 &primaries.green.y, &primaries.blue.x, &primaries.blue.y);
498 whitePoint.Y = primaries.red.Y = primaries.green.Y = primaries.blue.Y = 1.0;
499
500 double gammaOfFile;
501
502 png_get_gAMA(png_ptr, info_ptr, &gammaOfFile);
503
504 mInProfile = qcms_profile_create_rgb_with_gamma(whitePoint, primaries,
505 1.0 / gammaOfFile);
506
507 if (mInProfile) {
508 png_set_gray_to_rgb(png_ptr);
509 }
510 }
511
512 return QCMS_INTENT_PERCEPTUAL; // Our default
513 }
514
info_callback(png_structp png_ptr,png_infop info_ptr)515 void nsPNGDecoder::info_callback(png_structp png_ptr, png_infop info_ptr) {
516 png_uint_32 width, height;
517 int bit_depth, color_type, interlace_type, compression_type, filter_type;
518 unsigned int channels;
519
520 png_bytep trans = nullptr;
521 int num_trans = 0;
522
523 nsPNGDecoder* decoder =
524 static_cast<nsPNGDecoder*>(png_get_progressive_ptr(png_ptr));
525
526 if (decoder->mGotInfoCallback) {
527 MOZ_LOG(sPNGLog, LogLevel::Warning,
528 ("libpng called info_callback more than once\n"));
529 return;
530 }
531
532 decoder->mGotInfoCallback = true;
533
534 // Always decode to 24-bit RGB or 32-bit RGBA
535 png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
536 &interlace_type, &compression_type, &filter_type);
537
538 const OrientedIntRect frameRect(0, 0, width, height);
539
540 // Post our size to the superclass
541 decoder->PostSize(frameRect.Width(), frameRect.Height());
542
543 if (width > SurfaceCache::MaximumCapacity() / (bit_depth > 8 ? 16 : 8)) {
544 // libpng needs space to allocate two row buffers
545 png_error(decoder->mPNG, "Image is too wide");
546 }
547
548 if (decoder->HasError()) {
549 // Setting the size led to an error.
550 png_error(decoder->mPNG, "Sizing error");
551 }
552
553 if (color_type == PNG_COLOR_TYPE_PALETTE) {
554 png_set_expand(png_ptr);
555 }
556
557 if (color_type == PNG_COLOR_TYPE_GRAY && bit_depth < 8) {
558 png_set_expand(png_ptr);
559 }
560
561 if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) {
562 png_color_16p trans_values;
563 png_get_tRNS(png_ptr, info_ptr, &trans, &num_trans, &trans_values);
564 // libpng doesn't reject a tRNS chunk with out-of-range samples
565 // so we check it here to avoid setting up a useless opacity
566 // channel or producing unexpected transparent pixels (bug #428045)
567 if (bit_depth < 16) {
568 png_uint_16 sample_max = (1 << bit_depth) - 1;
569 if ((color_type == PNG_COLOR_TYPE_GRAY &&
570 trans_values->gray > sample_max) ||
571 (color_type == PNG_COLOR_TYPE_RGB &&
572 (trans_values->red > sample_max ||
573 trans_values->green > sample_max ||
574 trans_values->blue > sample_max))) {
575 // clear the tRNS valid flag and release tRNS memory
576 png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
577 num_trans = 0;
578 }
579 }
580 if (num_trans != 0) {
581 png_set_expand(png_ptr);
582 }
583 }
584
585 if (bit_depth == 16) {
586 png_set_scale_16(png_ptr);
587 }
588
589 // We only need to extract the color profile for non-metadata decodes. It is
590 // fairly expensive to read the profile and create the transform so we should
591 // avoid it if not necessary.
592 uint32_t intent = -1;
593 bool sRGBTag = false;
594 if (!decoder->IsMetadataDecode()) {
595 if (decoder->mCMSMode != CMSMode::Off) {
596 intent = gfxPlatform::GetRenderingIntent();
597 uint32_t pIntent =
598 decoder->ReadColorProfile(png_ptr, info_ptr, color_type, &sRGBTag);
599 // If we're not mandating an intent, use the one from the image.
600 if (intent == uint32_t(-1)) {
601 intent = pIntent;
602 }
603 }
604 if (!decoder->mInProfile || !decoder->GetCMSOutputProfile()) {
605 png_set_gray_to_rgb(png_ptr);
606
607 // only do gamma correction if CMS isn't entirely disabled
608 if (decoder->mCMSMode != CMSMode::Off) {
609 PNGDoGammaCorrection(png_ptr, info_ptr);
610 }
611 }
612 }
613
614 // Let libpng expand interlaced images.
615 const bool isInterlaced = interlace_type == PNG_INTERLACE_ADAM7;
616 if (isInterlaced) {
617 png_set_interlace_handling(png_ptr);
618 }
619
620 // now all of those things we set above are used to update various struct
621 // members and whatnot, after which we can get channels, rowbytes, etc.
622 png_read_update_info(png_ptr, info_ptr);
623 decoder->mChannels = channels = png_get_channels(png_ptr, info_ptr);
624
625 //---------------------------------------------------------------//
626 // copy PNG info into imagelib structs (formerly png_set_dims()) //
627 //---------------------------------------------------------------//
628
629 if (channels < 1 || channels > 4) {
630 png_error(decoder->mPNG, "Invalid number of channels");
631 }
632
633 #ifdef PNG_APNG_SUPPORTED
634 bool isAnimated = png_get_valid(png_ptr, info_ptr, PNG_INFO_acTL);
635 if (isAnimated) {
636 int32_t rawTimeout = GetNextFrameDelay(png_ptr, info_ptr);
637 decoder->PostIsAnimated(FrameTimeout::FromRawMilliseconds(rawTimeout));
638
639 if (decoder->Size() != decoder->OutputSize() &&
640 !decoder->IsFirstFrameDecode()) {
641 MOZ_ASSERT_UNREACHABLE(
642 "Doing downscale-during-decode "
643 "for an animated image?");
644 png_error(decoder->mPNG, "Invalid downscale attempt"); // Abort decode.
645 }
646 }
647 #endif
648
649 auto transparency = decoder->GetTransparencyType(frameRect);
650 if (decoder->IsMetadataDecode()) {
651 // If we are animated then the first frame rect is either:
652 // 1) the whole image if the IDAT chunk is part of the animation
653 // 2) the frame rect of the first fDAT chunk otherwise.
654 // If we are not animated then we want to make sure to call
655 // PostHasTransparency in the metadata decode if we need to. So it's
656 // okay to pass IntRect(0, 0, width, height) here for animated images;
657 // they will call with the proper first frame rect in the full decode.
658 decoder->PostHasTransparencyIfNeeded(transparency);
659
660 // We have the metadata we're looking for, so stop here, before we allocate
661 // buffers below.
662 return decoder->DoTerminate(png_ptr, TerminalState::SUCCESS);
663 }
664
665 if (decoder->mInProfile && decoder->GetCMSOutputProfile()) {
666 qcms_data_type inType;
667 qcms_data_type outType;
668
669 uint32_t profileSpace = qcms_profile_get_color_space(decoder->mInProfile);
670 decoder->mUsePipeTransform = profileSpace != icSigGrayData;
671 if (decoder->mUsePipeTransform) {
672 // If the transform happens with SurfacePipe, it will be in RGBA if we
673 // have an alpha channel, because the swizzle and premultiplication
674 // happens after color management. Otherwise it will be in BGRA because
675 // the swizzle happens at the start.
676 if (transparency == TransparencyType::eAlpha) {
677 inType = QCMS_DATA_RGBA_8;
678 outType = QCMS_DATA_RGBA_8;
679 } else {
680 inType = gfxPlatform::GetCMSOSRGBAType();
681 outType = inType;
682 }
683 } else {
684 if (color_type & PNG_COLOR_MASK_ALPHA) {
685 inType = QCMS_DATA_GRAYA_8;
686 outType = gfxPlatform::GetCMSOSRGBAType();
687 } else {
688 inType = QCMS_DATA_GRAY_8;
689 outType = gfxPlatform::GetCMSOSRGBAType();
690 }
691 }
692
693 decoder->mTransform = qcms_transform_create(decoder->mInProfile, inType,
694 decoder->GetCMSOutputProfile(),
695 outType, (qcms_intent)intent);
696 } else if ((sRGBTag && decoder->mCMSMode == CMSMode::TaggedOnly) ||
697 decoder->mCMSMode == CMSMode::All) {
698 // If the transform happens with SurfacePipe, it will be in RGBA if we
699 // have an alpha channel, because the swizzle and premultiplication
700 // happens after color management. Otherwise it will be in OS_RGBA because
701 // the swizzle happens at the start.
702 if (transparency == TransparencyType::eAlpha) {
703 decoder->mTransform =
704 decoder->GetCMSsRGBTransform(SurfaceFormat::R8G8B8A8);
705 } else {
706 decoder->mTransform =
707 decoder->GetCMSsRGBTransform(SurfaceFormat::OS_RGBA);
708 }
709 decoder->mUsePipeTransform = true;
710 }
711
712 #ifdef PNG_APNG_SUPPORTED
713 if (isAnimated) {
714 png_set_progressive_frame_fn(png_ptr, nsPNGDecoder::frame_info_callback,
715 nullptr);
716 }
717
718 if (png_get_first_frame_is_hidden(png_ptr, info_ptr)) {
719 decoder->mFrameIsHidden = true;
720 } else {
721 #endif
722 nsresult rv = decoder->CreateFrame(FrameInfo{frameRect, isInterlaced});
723 if (NS_FAILED(rv)) {
724 png_error(decoder->mPNG, "CreateFrame failed");
725 }
726 MOZ_ASSERT(decoder->mImageData, "Should have a buffer now");
727 #ifdef PNG_APNG_SUPPORTED
728 }
729 #endif
730
731 if (decoder->mTransform && !decoder->mUsePipeTransform) {
732 decoder->mCMSLine =
733 static_cast<uint8_t*>(malloc(sizeof(uint32_t) * frameRect.Width()));
734 if (!decoder->mCMSLine) {
735 png_error(decoder->mPNG, "malloc of mCMSLine failed");
736 }
737 }
738
739 if (interlace_type == PNG_INTERLACE_ADAM7) {
740 if (frameRect.Height() <
741 INT32_MAX / (frameRect.Width() * int32_t(channels))) {
742 const size_t bufferSize =
743 channels * frameRect.Width() * frameRect.Height();
744
745 if (bufferSize > SurfaceCache::MaximumCapacity()) {
746 png_error(decoder->mPNG, "Insufficient memory to deinterlace image");
747 }
748
749 decoder->interlacebuf = static_cast<uint8_t*>(malloc(bufferSize));
750 }
751 if (!decoder->interlacebuf) {
752 png_error(decoder->mPNG, "malloc of interlacebuf failed");
753 }
754 }
755 }
756
PostInvalidationIfNeeded()757 void nsPNGDecoder::PostInvalidationIfNeeded() {
758 Maybe<SurfaceInvalidRect> invalidRect = mPipe.TakeInvalidRect();
759 if (!invalidRect) {
760 return;
761 }
762
763 PostInvalidation(invalidRect->mInputSpaceRect,
764 Some(invalidRect->mOutputSpaceRect));
765 }
766
row_callback(png_structp png_ptr,png_bytep new_row,png_uint_32 row_num,int pass)767 void nsPNGDecoder::row_callback(png_structp png_ptr, png_bytep new_row,
768 png_uint_32 row_num, int pass) {
769 /* libpng comments:
770 *
771 * This function is called for every row in the image. If the
772 * image is interlacing, and you turned on the interlace handler,
773 * this function will be called for every row in every pass.
774 * Some of these rows will not be changed from the previous pass.
775 * When the row is not changed, the new_row variable will be
776 * nullptr. The rows and passes are called in order, so you don't
777 * really need the row_num and pass, but I'm supplying them
778 * because it may make your life easier.
779 *
780 * For the non-nullptr rows of interlaced images, you must call
781 * png_progressive_combine_row() passing in the row and the
782 * old row. You can call this function for nullptr rows (it will
783 * just return) and for non-interlaced images (it just does the
784 * memcpy for you) if it will make the code easier. Thus, you
785 * can just do this for all cases:
786 *
787 * png_progressive_combine_row(png_ptr, old_row, new_row);
788 *
789 * where old_row is what was displayed for previous rows. Note
790 * that the first pass (pass == 0 really) will completely cover
791 * the old row, so the rows do not have to be initialized. After
792 * the first pass (and only for interlaced images), you will have
793 * to pass the current row, and the function will combine the
794 * old row and the new row.
795 */
796 nsPNGDecoder* decoder =
797 static_cast<nsPNGDecoder*>(png_get_progressive_ptr(png_ptr));
798
799 if (decoder->mFrameIsHidden) {
800 return; // Skip this frame.
801 }
802
803 MOZ_ASSERT_IF(decoder->IsFirstFrameDecode(), decoder->mNumFrames == 0);
804
805 while (pass > decoder->mPass) {
806 // Advance to the next pass. We may have to do this multiple times because
807 // libpng will skip passes if the image is so small that no pixels have
808 // changed on a given pass, but ADAM7InterpolatingFilter needs to be reset
809 // once for every pass to perform interpolation properly.
810 decoder->mPipe.ResetToFirstRow();
811 decoder->mPass++;
812 }
813
814 const png_uint_32 height =
815 static_cast<png_uint_32>(decoder->mFrameRect.Height());
816
817 if (row_num >= height) {
818 // Bail if we receive extra rows. This is especially important because if we
819 // didn't, we might overflow the deinterlacing buffer.
820 MOZ_ASSERT_UNREACHABLE("libpng producing extra rows?");
821 return;
822 }
823
824 // Note that |new_row| may be null here, indicating that this is an interlaced
825 // image and |row_callback| is being called for a row that hasn't changed.
826 MOZ_ASSERT_IF(!new_row, decoder->interlacebuf);
827
828 if (decoder->interlacebuf) {
829 uint32_t width = uint32_t(decoder->mFrameRect.Width());
830
831 // We'll output the deinterlaced version of the row.
832 uint8_t* rowToWrite =
833 decoder->interlacebuf + (row_num * decoder->mChannels * width);
834
835 // Update the deinterlaced version of this row with the new data.
836 png_progressive_combine_row(png_ptr, rowToWrite, new_row);
837
838 decoder->WriteRow(rowToWrite);
839 } else {
840 decoder->WriteRow(new_row);
841 }
842 }
843
WriteRow(uint8_t * aRow)844 void nsPNGDecoder::WriteRow(uint8_t* aRow) {
845 MOZ_ASSERT(aRow);
846
847 uint8_t* rowToWrite = aRow;
848 uint32_t width = uint32_t(mFrameRect.Width());
849
850 // Apply color management to the row, if necessary, before writing it out.
851 // This is only needed for grayscale images.
852 if (mTransform && !mUsePipeTransform) {
853 MOZ_ASSERT(mCMSLine);
854 qcms_transform_data(mTransform, rowToWrite, mCMSLine, width);
855 rowToWrite = mCMSLine;
856 }
857
858 // Write this row to the SurfacePipe.
859 DebugOnly<WriteState> result =
860 mPipe.WriteBuffer(reinterpret_cast<uint32_t*>(rowToWrite));
861 MOZ_ASSERT(WriteState(result) != WriteState::FAILURE);
862
863 PostInvalidationIfNeeded();
864 }
865
DoTerminate(png_structp aPNGStruct,TerminalState aState)866 void nsPNGDecoder::DoTerminate(png_structp aPNGStruct, TerminalState aState) {
867 // Stop processing data. Note that we intentionally ignore the return value of
868 // png_process_data_pause(), which tells us how many bytes of the data that
869 // was passed to png_process_data() have not been consumed yet, because now
870 // that we've reached a terminal state, we won't do any more decoding or call
871 // back into libpng anymore.
872 png_process_data_pause(aPNGStruct, /* save = */ false);
873
874 mNextTransition = aState == TerminalState::SUCCESS
875 ? Transition::TerminateSuccess()
876 : Transition::TerminateFailure();
877 }
878
DoYield(png_structp aPNGStruct)879 void nsPNGDecoder::DoYield(png_structp aPNGStruct) {
880 // Pause data processing. png_process_data_pause() returns how many bytes of
881 // the data that was passed to png_process_data() have not been consumed yet.
882 // We use this information to tell StreamingLexer where to place us in the
883 // input stream when we come back from the yield.
884 png_size_t pendingBytes = png_process_data_pause(aPNGStruct,
885 /* save = */ false);
886
887 MOZ_ASSERT(pendingBytes < mLastChunkLength);
888 size_t consumedBytes = mLastChunkLength - min(pendingBytes, mLastChunkLength);
889
890 mNextTransition =
891 Transition::ContinueUnbufferedAfterYield(State::PNG_DATA, consumedBytes);
892 }
893
FinishInternal()894 nsresult nsPNGDecoder::FinishInternal() {
895 // We shouldn't be called in error cases.
896 MOZ_ASSERT(!HasError(), "Can't call FinishInternal on error!");
897
898 if (IsMetadataDecode()) {
899 return NS_OK;
900 }
901
902 int32_t loop_count = 0;
903 #ifdef PNG_APNG_SUPPORTED
904 if (png_get_valid(mPNG, mInfo, PNG_INFO_acTL)) {
905 int32_t num_plays = png_get_num_plays(mPNG, mInfo);
906 loop_count = num_plays - 1;
907 }
908 #endif
909
910 if (InFrame()) {
911 EndImageFrame();
912 }
913 PostDecodeDone(loop_count);
914
915 return NS_OK;
916 }
917
918 #ifdef PNG_APNG_SUPPORTED
919 // got the header of a new frame that's coming
frame_info_callback(png_structp png_ptr,png_uint_32 frame_num)920 void nsPNGDecoder::frame_info_callback(png_structp png_ptr,
921 png_uint_32 frame_num) {
922 nsPNGDecoder* decoder =
923 static_cast<nsPNGDecoder*>(png_get_progressive_ptr(png_ptr));
924
925 // old frame is done
926 decoder->EndImageFrame();
927
928 const bool previousFrameWasHidden = decoder->mFrameIsHidden;
929
930 if (!previousFrameWasHidden && decoder->IsFirstFrameDecode()) {
931 // We're about to get a second non-hidden frame, but we only want the first.
932 // Stop decoding now. (And avoid allocating the unnecessary buffers below.)
933 return decoder->DoTerminate(png_ptr, TerminalState::SUCCESS);
934 }
935
936 // Only the first frame can be hidden, so unhide unconditionally here.
937 decoder->mFrameIsHidden = false;
938
939 // Save the information necessary to create the frame; we'll actually create
940 // it when we return from the yield.
941 const OrientedIntRect frameRect(
942 png_get_next_frame_x_offset(png_ptr, decoder->mInfo),
943 png_get_next_frame_y_offset(png_ptr, decoder->mInfo),
944 png_get_next_frame_width(png_ptr, decoder->mInfo),
945 png_get_next_frame_height(png_ptr, decoder->mInfo));
946 const bool isInterlaced = bool(decoder->interlacebuf);
947
948 # ifndef MOZ_EMBEDDED_LIBPNG
949 // if using system library, check frame_width and height against 0
950 if (frameRect.width == 0) {
951 png_error(png_ptr, "Frame width must not be 0");
952 }
953 if (frameRect.height == 0) {
954 png_error(png_ptr, "Frame height must not be 0");
955 }
956 # endif
957
958 const FrameInfo info{frameRect, isInterlaced};
959
960 // If the previous frame was hidden, skip the yield (which will mislead the
961 // caller, who will think the previous frame was real) and just allocate the
962 // new frame here.
963 if (previousFrameWasHidden) {
964 if (NS_FAILED(decoder->CreateFrame(info))) {
965 return decoder->DoTerminate(png_ptr, TerminalState::FAILURE);
966 }
967
968 MOZ_ASSERT(decoder->mImageData, "Should have a buffer now");
969 return; // No yield, so we'll just keep decoding.
970 }
971
972 // Yield to the caller to notify them that the previous frame is now complete.
973 decoder->mNextFrameInfo = Some(info);
974 return decoder->DoYield(png_ptr);
975 }
976 #endif
977
end_callback(png_structp png_ptr,png_infop info_ptr)978 void nsPNGDecoder::end_callback(png_structp png_ptr, png_infop info_ptr) {
979 /* libpng comments:
980 *
981 * this function is called when the whole image has been read,
982 * including any chunks after the image (up to and including
983 * the IEND). You will usually have the same info chunk as you
984 * had in the header, although some data may have been added
985 * to the comments and time fields.
986 *
987 * Most people won't do much here, perhaps setting a flag that
988 * marks the image as finished.
989 */
990
991 nsPNGDecoder* decoder =
992 static_cast<nsPNGDecoder*>(png_get_progressive_ptr(png_ptr));
993
994 // We shouldn't get here if we've hit an error
995 MOZ_ASSERT(!decoder->HasError(), "Finishing up PNG but hit error!");
996
997 return decoder->DoTerminate(png_ptr, TerminalState::SUCCESS);
998 }
999
error_callback(png_structp png_ptr,png_const_charp error_msg)1000 void nsPNGDecoder::error_callback(png_structp png_ptr,
1001 png_const_charp error_msg) {
1002 MOZ_LOG(sPNGLog, LogLevel::Error, ("libpng error: %s\n", error_msg));
1003 png_longjmp(png_ptr, 1);
1004 }
1005
warning_callback(png_structp png_ptr,png_const_charp warning_msg)1006 void nsPNGDecoder::warning_callback(png_structp png_ptr,
1007 png_const_charp warning_msg) {
1008 MOZ_LOG(sPNGLog, LogLevel::Warning, ("libpng warning: %s\n", warning_msg));
1009 }
1010
SpeedHistogram() const1011 Maybe<Telemetry::HistogramID> nsPNGDecoder::SpeedHistogram() const {
1012 return Some(Telemetry::IMAGE_DECODE_SPEED_PNG);
1013 }
1014
IsValidICOResource() const1015 bool nsPNGDecoder::IsValidICOResource() const {
1016 // Only 32-bit RGBA PNGs are valid ICO resources; see here:
1017 // http://blogs.msdn.com/b/oldnewthing/archive/2010/10/22/10079192.aspx
1018
1019 // If there are errors in the call to png_get_IHDR, the error_callback in
1020 // nsPNGDecoder.cpp is called. In this error callback we do a longjmp, so
1021 // we need to save the jump buffer here. Otherwise we'll end up without a
1022 // proper callstack.
1023 if (setjmp(png_jmpbuf(mPNG))) {
1024 // We got here from a longjmp call indirectly from png_get_IHDR
1025 return false;
1026 }
1027
1028 png_uint_32 png_width, // Unused
1029 png_height; // Unused
1030
1031 int png_bit_depth, png_color_type;
1032
1033 if (png_get_IHDR(mPNG, mInfo, &png_width, &png_height, &png_bit_depth,
1034 &png_color_type, nullptr, nullptr, nullptr)) {
1035 return ((png_color_type == PNG_COLOR_TYPE_RGB_ALPHA ||
1036 png_color_type == PNG_COLOR_TYPE_RGB) &&
1037 png_bit_depth == 8);
1038 } else {
1039 return false;
1040 }
1041 }
1042
1043 } // namespace image
1044 } // namespace mozilla
1045