1 2 /* png.c - location for general purpose libpng functions 3 * 4 * Last changed in libpng 1.6.33 [September 28, 2017] 5 * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 8 * 9 * This code is released under the libpng license. 10 * For conditions of distribution and use, see the disclaimer 11 * and license in png.h 12 */ 13 14 #include "pngpriv.h" 15 16 /* Generate a compiler error if there is an old png.h in the search path. */ 17 typedef png_libpng_version_1_6_34 Your_png_h_is_not_version_1_6_34; 18 19 #ifdef __GNUC__ 20 /* The version tests may need to be added to, but the problem warning has 21 * consistently been fixed in GCC versions which obtain wide-spread release. 22 * The problem is that many versions of GCC rearrange comparison expressions in 23 * the optimizer in such a way that the results of the comparison will change 24 * if signed integer overflow occurs. Such comparisons are not permitted in 25 * ANSI C90, however GCC isn't clever enough to work out that that do not occur 26 * below in png_ascii_from_fp and png_muldiv, so it produces a warning with 27 * -Wextra. Unfortunately this is highly dependent on the optimizer and the 28 * machine architecture so the warning comes and goes unpredictably and is 29 * impossible to "fix", even were that a good idea. 30 */ 31 #if __GNUC__ == 7 && __GNUC_MINOR__ == 1 32 #define GCC_STRICT_OVERFLOW 1 33 #endif /* GNU 7.1.x */ 34 #endif /* GNU */ 35 #ifndef GCC_STRICT_OVERFLOW 36 #define GCC_STRICT_OVERFLOW 0 37 #endif 38 39 /* Tells libpng that we have already handled the first "num_bytes" bytes 40 * of the PNG file signature. If the PNG data is embedded into another 41 * stream we can set num_bytes = 8 so that libpng will not attempt to read 42 * or write any of the magic bytes before it starts on the IHDR. 43 */ 44 45 #ifdef PNG_READ_SUPPORTED 46 void PNGAPI 47 png_set_sig_bytes(png_structrp png_ptr, int num_bytes) 48 { 49 unsigned int nb = (unsigned int)num_bytes; 50 51 png_debug(1, "in png_set_sig_bytes"); 52 53 if (png_ptr == NULL) 54 return; 55 56 if (num_bytes < 0) 57 nb = 0; 58 59 if (nb > 8) 60 png_error(png_ptr, "Too many bytes for PNG signature"); 61 62 png_ptr->sig_bytes = (png_byte)nb; 63 } 64 65 /* Checks whether the supplied bytes match the PNG signature. We allow 66 * checking less than the full 8-byte signature so that those apps that 67 * already read the first few bytes of a file to determine the file type 68 * can simply check the remaining bytes for extra assurance. Returns 69 * an integer less than, equal to, or greater than zero if sig is found, 70 * respectively, to be less than, to match, or be greater than the correct 71 * PNG signature (this is the same behavior as strcmp, memcmp, etc). 72 */ 73 int PNGAPI 74 png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check) 75 { 76 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10}; 77 78 if (num_to_check > 8) 79 num_to_check = 8; 80 81 else if (num_to_check < 1) 82 return (-1); 83 84 if (start > 7) 85 return (-1); 86 87 if (start + num_to_check > 8) 88 num_to_check = 8 - start; 89 90 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check))); 91 } 92 93 #endif /* READ */ 94 95 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 96 /* Function to allocate memory for zlib */ 97 PNG_FUNCTION(voidpf /* PRIVATE */, 98 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED) 99 { 100 png_alloc_size_t num_bytes = size; 101 102 if (png_ptr == NULL) 103 return NULL; 104 105 if (items >= (~(png_alloc_size_t)0)/size) 106 { 107 png_warning (png_voidcast(png_structrp, png_ptr), 108 "Potential overflow in png_zalloc()"); 109 return NULL; 110 } 111 112 num_bytes *= items; 113 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes); 114 } 115 116 /* Function to free memory for zlib */ 117 void /* PRIVATE */ 118 png_zfree(voidpf png_ptr, voidpf ptr) 119 { 120 png_free(png_voidcast(png_const_structrp,png_ptr), ptr); 121 } 122 123 /* Reset the CRC variable to 32 bits of 1's. Care must be taken 124 * in case CRC is > 32 bits to leave the top bits 0. 125 */ 126 void /* PRIVATE */ 127 png_reset_crc(png_structrp png_ptr) 128 { 129 /* The cast is safe because the crc is a 32-bit value. */ 130 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0); 131 } 132 133 /* Calculate the CRC over a section of data. We can only pass as 134 * much data to this routine as the largest single buffer size. We 135 * also check that this data will actually be used before going to the 136 * trouble of calculating it. 137 */ 138 void /* PRIVATE */ 139 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length) 140 { 141 int need_crc = 1; 142 143 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0) 144 { 145 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == 146 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) 147 need_crc = 0; 148 } 149 150 else /* critical */ 151 { 152 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0) 153 need_crc = 0; 154 } 155 156 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some 157 * systems it is a 64-bit value. crc32, however, returns 32 bits so the 158 * following cast is safe. 'uInt' may be no more than 16 bits, so it is 159 * necessary to perform a loop here. 160 */ 161 if (need_crc != 0 && length > 0) 162 { 163 uLong crc = png_ptr->crc; /* Should never issue a warning */ 164 165 do 166 { 167 uInt safe_length = (uInt)length; 168 #ifndef __COVERITY__ 169 if (safe_length == 0) 170 safe_length = (uInt)-1; /* evil, but safe */ 171 #endif 172 173 crc = crc32(crc, ptr, safe_length); 174 175 /* The following should never issue compiler warnings; if they do the 176 * target system has characteristics that will probably violate other 177 * assumptions within the libpng code. 178 */ 179 ptr += safe_length; 180 length -= safe_length; 181 } 182 while (length > 0); 183 184 /* And the following is always safe because the crc is only 32 bits. */ 185 png_ptr->crc = (png_uint_32)crc; 186 } 187 } 188 189 /* Check a user supplied version number, called from both read and write 190 * functions that create a png_struct. 191 */ 192 int 193 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver) 194 { 195 /* Libpng versions 1.0.0 and later are binary compatible if the version 196 * string matches through the second '.'; we must recompile any 197 * applications that use any older library version. 198 */ 199 200 if (user_png_ver != NULL) 201 { 202 int i = -1; 203 int found_dots = 0; 204 205 do 206 { 207 i++; 208 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i]) 209 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 210 if (user_png_ver[i] == '.') 211 found_dots++; 212 } while (found_dots < 2 && user_png_ver[i] != 0 && 213 PNG_LIBPNG_VER_STRING[i] != 0); 214 } 215 216 else 217 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 218 219 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0) 220 { 221 #ifdef PNG_WARNINGS_SUPPORTED 222 size_t pos = 0; 223 char m[128]; 224 225 pos = png_safecat(m, (sizeof m), pos, 226 "Application built with libpng-"); 227 pos = png_safecat(m, (sizeof m), pos, user_png_ver); 228 pos = png_safecat(m, (sizeof m), pos, " but running with "); 229 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING); 230 PNG_UNUSED(pos) 231 232 png_warning(png_ptr, m); 233 #endif 234 235 #ifdef PNG_ERROR_NUMBERS_SUPPORTED 236 png_ptr->flags = 0; 237 #endif 238 239 return 0; 240 } 241 242 /* Success return. */ 243 return 1; 244 } 245 246 /* Generic function to create a png_struct for either read or write - this 247 * contains the common initialization. 248 */ 249 PNG_FUNCTION(png_structp /* PRIVATE */, 250 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr, 251 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr, 252 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED) 253 { 254 png_struct create_struct; 255 # ifdef PNG_SETJMP_SUPPORTED 256 jmp_buf create_jmp_buf; 257 # endif 258 259 /* This temporary stack-allocated structure is used to provide a place to 260 * build enough context to allow the user provided memory allocator (if any) 261 * to be called. 262 */ 263 memset(&create_struct, 0, (sizeof create_struct)); 264 265 /* Added at libpng-1.2.6 */ 266 # ifdef PNG_USER_LIMITS_SUPPORTED 267 create_struct.user_width_max = PNG_USER_WIDTH_MAX; 268 create_struct.user_height_max = PNG_USER_HEIGHT_MAX; 269 270 # ifdef PNG_USER_CHUNK_CACHE_MAX 271 /* Added at libpng-1.2.43 and 1.4.0 */ 272 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX; 273 # endif 274 275 # ifdef PNG_USER_CHUNK_MALLOC_MAX 276 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists 277 * in png_struct regardless. 278 */ 279 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX; 280 # endif 281 # endif 282 283 /* The following two API calls simply set fields in png_struct, so it is safe 284 * to do them now even though error handling is not yet set up. 285 */ 286 # ifdef PNG_USER_MEM_SUPPORTED 287 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn); 288 # else 289 PNG_UNUSED(mem_ptr) 290 PNG_UNUSED(malloc_fn) 291 PNG_UNUSED(free_fn) 292 # endif 293 294 /* (*error_fn) can return control to the caller after the error_ptr is set, 295 * this will result in a memory leak unless the error_fn does something 296 * extremely sophisticated. The design lacks merit but is implicit in the 297 * API. 298 */ 299 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn); 300 301 # ifdef PNG_SETJMP_SUPPORTED 302 if (!setjmp(create_jmp_buf)) 303 # endif 304 { 305 # ifdef PNG_SETJMP_SUPPORTED 306 /* Temporarily fake out the longjmp information until we have 307 * successfully completed this function. This only works if we have 308 * setjmp() support compiled in, but it is safe - this stuff should 309 * never happen. 310 */ 311 create_struct.jmp_buf_ptr = &create_jmp_buf; 312 create_struct.jmp_buf_size = 0; /*stack allocation*/ 313 create_struct.longjmp_fn = longjmp; 314 # endif 315 /* Call the general version checker (shared with read and write code): 316 */ 317 if (png_user_version_check(&create_struct, user_png_ver) != 0) 318 { 319 png_structrp png_ptr = png_voidcast(png_structrp, 320 png_malloc_warn(&create_struct, (sizeof *png_ptr))); 321 322 if (png_ptr != NULL) 323 { 324 /* png_ptr->zstream holds a back-pointer to the png_struct, so 325 * this can only be done now: 326 */ 327 create_struct.zstream.zalloc = png_zalloc; 328 create_struct.zstream.zfree = png_zfree; 329 create_struct.zstream.opaque = png_ptr; 330 331 # ifdef PNG_SETJMP_SUPPORTED 332 /* Eliminate the local error handling: */ 333 create_struct.jmp_buf_ptr = NULL; 334 create_struct.jmp_buf_size = 0; 335 create_struct.longjmp_fn = 0; 336 # endif 337 338 *png_ptr = create_struct; 339 340 /* This is the successful return point */ 341 return png_ptr; 342 } 343 } 344 } 345 346 /* A longjmp because of a bug in the application storage allocator or a 347 * simple failure to allocate the png_struct. 348 */ 349 return NULL; 350 } 351 352 /* Allocate the memory for an info_struct for the application. */ 353 PNG_FUNCTION(png_infop,PNGAPI 354 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED) 355 { 356 png_inforp info_ptr; 357 358 png_debug(1, "in png_create_info_struct"); 359 360 if (png_ptr == NULL) 361 return NULL; 362 363 /* Use the internal API that does not (or at least should not) error out, so 364 * that this call always returns ok. The application typically sets up the 365 * error handling *after* creating the info_struct because this is the way it 366 * has always been done in 'example.c'. 367 */ 368 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr, 369 (sizeof *info_ptr))); 370 371 if (info_ptr != NULL) 372 memset(info_ptr, 0, (sizeof *info_ptr)); 373 374 return info_ptr; 375 } 376 377 /* This function frees the memory associated with a single info struct. 378 * Normally, one would use either png_destroy_read_struct() or 379 * png_destroy_write_struct() to free an info struct, but this may be 380 * useful for some applications. From libpng 1.6.0 this function is also used 381 * internally to implement the png_info release part of the 'struct' destroy 382 * APIs. This ensures that all possible approaches free the same data (all of 383 * it). 384 */ 385 void PNGAPI 386 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr) 387 { 388 png_inforp info_ptr = NULL; 389 390 png_debug(1, "in png_destroy_info_struct"); 391 392 if (png_ptr == NULL) 393 return; 394 395 if (info_ptr_ptr != NULL) 396 info_ptr = *info_ptr_ptr; 397 398 if (info_ptr != NULL) 399 { 400 /* Do this first in case of an error below; if the app implements its own 401 * memory management this can lead to png_free calling png_error, which 402 * will abort this routine and return control to the app error handler. 403 * An infinite loop may result if it then tries to free the same info 404 * ptr. 405 */ 406 *info_ptr_ptr = NULL; 407 408 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1); 409 memset(info_ptr, 0, (sizeof *info_ptr)); 410 png_free(png_ptr, info_ptr); 411 } 412 } 413 414 /* Initialize the info structure. This is now an internal function (0.89) 415 * and applications using it are urged to use png_create_info_struct() 416 * instead. Use deprecated in 1.6.0, internal use removed (used internally it 417 * is just a memset). 418 * 419 * NOTE: it is almost inconceivable that this API is used because it bypasses 420 * the user-memory mechanism and the user error handling/warning mechanisms in 421 * those cases where it does anything other than a memset. 422 */ 423 PNG_FUNCTION(void,PNGAPI 424 png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size), 425 PNG_DEPRECATED) 426 { 427 png_inforp info_ptr = *ptr_ptr; 428 429 png_debug(1, "in png_info_init_3"); 430 431 if (info_ptr == NULL) 432 return; 433 434 if ((sizeof (png_info)) > png_info_struct_size) 435 { 436 *ptr_ptr = NULL; 437 /* The following line is why this API should not be used: */ 438 free(info_ptr); 439 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL, 440 (sizeof *info_ptr))); 441 if (info_ptr == NULL) 442 return; 443 *ptr_ptr = info_ptr; 444 } 445 446 /* Set everything to 0 */ 447 memset(info_ptr, 0, (sizeof *info_ptr)); 448 } 449 450 /* The following API is not called internally */ 451 void PNGAPI 452 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr, 453 int freer, png_uint_32 mask) 454 { 455 png_debug(1, "in png_data_freer"); 456 457 if (png_ptr == NULL || info_ptr == NULL) 458 return; 459 460 if (freer == PNG_DESTROY_WILL_FREE_DATA) 461 info_ptr->free_me |= mask; 462 463 else if (freer == PNG_USER_WILL_FREE_DATA) 464 info_ptr->free_me &= ~mask; 465 466 else 467 png_error(png_ptr, "Unknown freer parameter in png_data_freer"); 468 } 469 470 void PNGAPI 471 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask, 472 int num) 473 { 474 png_debug(1, "in png_free_data"); 475 476 if (png_ptr == NULL || info_ptr == NULL) 477 return; 478 479 #ifdef PNG_TEXT_SUPPORTED 480 /* Free text item num or (if num == -1) all text items */ 481 if (info_ptr->text != NULL && 482 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0) 483 { 484 if (num != -1) 485 { 486 png_free(png_ptr, info_ptr->text[num].key); 487 info_ptr->text[num].key = NULL; 488 } 489 490 else 491 { 492 int i; 493 494 for (i = 0; i < info_ptr->num_text; i++) 495 png_free(png_ptr, info_ptr->text[i].key); 496 497 png_free(png_ptr, info_ptr->text); 498 info_ptr->text = NULL; 499 info_ptr->num_text = 0; 500 info_ptr->max_text = 0; 501 } 502 } 503 #endif 504 505 #ifdef PNG_tRNS_SUPPORTED 506 /* Free any tRNS entry */ 507 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0) 508 { 509 info_ptr->valid &= ~PNG_INFO_tRNS; 510 png_free(png_ptr, info_ptr->trans_alpha); 511 info_ptr->trans_alpha = NULL; 512 info_ptr->num_trans = 0; 513 } 514 #endif 515 516 #ifdef PNG_sCAL_SUPPORTED 517 /* Free any sCAL entry */ 518 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0) 519 { 520 png_free(png_ptr, info_ptr->scal_s_width); 521 png_free(png_ptr, info_ptr->scal_s_height); 522 info_ptr->scal_s_width = NULL; 523 info_ptr->scal_s_height = NULL; 524 info_ptr->valid &= ~PNG_INFO_sCAL; 525 } 526 #endif 527 528 #ifdef PNG_pCAL_SUPPORTED 529 /* Free any pCAL entry */ 530 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0) 531 { 532 png_free(png_ptr, info_ptr->pcal_purpose); 533 png_free(png_ptr, info_ptr->pcal_units); 534 info_ptr->pcal_purpose = NULL; 535 info_ptr->pcal_units = NULL; 536 537 if (info_ptr->pcal_params != NULL) 538 { 539 int i; 540 541 for (i = 0; i < info_ptr->pcal_nparams; i++) 542 png_free(png_ptr, info_ptr->pcal_params[i]); 543 544 png_free(png_ptr, info_ptr->pcal_params); 545 info_ptr->pcal_params = NULL; 546 } 547 info_ptr->valid &= ~PNG_INFO_pCAL; 548 } 549 #endif 550 551 #ifdef PNG_iCCP_SUPPORTED 552 /* Free any profile entry */ 553 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0) 554 { 555 png_free(png_ptr, info_ptr->iccp_name); 556 png_free(png_ptr, info_ptr->iccp_profile); 557 info_ptr->iccp_name = NULL; 558 info_ptr->iccp_profile = NULL; 559 info_ptr->valid &= ~PNG_INFO_iCCP; 560 } 561 #endif 562 563 #ifdef PNG_sPLT_SUPPORTED 564 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */ 565 if (info_ptr->splt_palettes != NULL && 566 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0) 567 { 568 if (num != -1) 569 { 570 png_free(png_ptr, info_ptr->splt_palettes[num].name); 571 png_free(png_ptr, info_ptr->splt_palettes[num].entries); 572 info_ptr->splt_palettes[num].name = NULL; 573 info_ptr->splt_palettes[num].entries = NULL; 574 } 575 576 else 577 { 578 int i; 579 580 for (i = 0; i < info_ptr->splt_palettes_num; i++) 581 { 582 png_free(png_ptr, info_ptr->splt_palettes[i].name); 583 png_free(png_ptr, info_ptr->splt_palettes[i].entries); 584 } 585 586 png_free(png_ptr, info_ptr->splt_palettes); 587 info_ptr->splt_palettes = NULL; 588 info_ptr->splt_palettes_num = 0; 589 info_ptr->valid &= ~PNG_INFO_sPLT; 590 } 591 } 592 #endif 593 594 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED 595 if (info_ptr->unknown_chunks != NULL && 596 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0) 597 { 598 if (num != -1) 599 { 600 png_free(png_ptr, info_ptr->unknown_chunks[num].data); 601 info_ptr->unknown_chunks[num].data = NULL; 602 } 603 604 else 605 { 606 int i; 607 608 for (i = 0; i < info_ptr->unknown_chunks_num; i++) 609 png_free(png_ptr, info_ptr->unknown_chunks[i].data); 610 611 png_free(png_ptr, info_ptr->unknown_chunks); 612 info_ptr->unknown_chunks = NULL; 613 info_ptr->unknown_chunks_num = 0; 614 } 615 } 616 #endif 617 618 #ifdef PNG_eXIf_SUPPORTED 619 /* Free any eXIf entry */ 620 if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0) 621 { 622 # ifdef PNG_READ_eXIf_SUPPORTED 623 if (info_ptr->eXIf_buf) 624 { 625 png_free(png_ptr, info_ptr->eXIf_buf); 626 info_ptr->eXIf_buf = NULL; 627 } 628 # endif 629 if (info_ptr->exif) 630 { 631 png_free(png_ptr, info_ptr->exif); 632 info_ptr->exif = NULL; 633 } 634 info_ptr->valid &= ~PNG_INFO_eXIf; 635 } 636 #endif 637 638 #ifdef PNG_hIST_SUPPORTED 639 /* Free any hIST entry */ 640 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0) 641 { 642 png_free(png_ptr, info_ptr->hist); 643 info_ptr->hist = NULL; 644 info_ptr->valid &= ~PNG_INFO_hIST; 645 } 646 #endif 647 648 /* Free any PLTE entry that was internally allocated */ 649 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0) 650 { 651 png_free(png_ptr, info_ptr->palette); 652 info_ptr->palette = NULL; 653 info_ptr->valid &= ~PNG_INFO_PLTE; 654 info_ptr->num_palette = 0; 655 } 656 657 #ifdef PNG_INFO_IMAGE_SUPPORTED 658 /* Free any image bits attached to the info structure */ 659 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0) 660 { 661 if (info_ptr->row_pointers != NULL) 662 { 663 png_uint_32 row; 664 for (row = 0; row < info_ptr->height; row++) 665 png_free(png_ptr, info_ptr->row_pointers[row]); 666 667 png_free(png_ptr, info_ptr->row_pointers); 668 info_ptr->row_pointers = NULL; 669 } 670 info_ptr->valid &= ~PNG_INFO_IDAT; 671 } 672 #endif 673 674 if (num != -1) 675 mask &= ~PNG_FREE_MUL; 676 677 info_ptr->free_me &= ~mask; 678 } 679 #endif /* READ || WRITE */ 680 681 /* This function returns a pointer to the io_ptr associated with the user 682 * functions. The application should free any memory associated with this 683 * pointer before png_write_destroy() or png_read_destroy() are called. 684 */ 685 png_voidp PNGAPI 686 png_get_io_ptr(png_const_structrp png_ptr) 687 { 688 if (png_ptr == NULL) 689 return (NULL); 690 691 return (png_ptr->io_ptr); 692 } 693 694 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 695 # ifdef PNG_STDIO_SUPPORTED 696 /* Initialize the default input/output functions for the PNG file. If you 697 * use your own read or write routines, you can call either png_set_read_fn() 698 * or png_set_write_fn() instead of png_init_io(). If you have defined 699 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a 700 * function of your own because "FILE *" isn't necessarily available. 701 */ 702 void PNGAPI 703 png_init_io(png_structrp png_ptr, png_FILE_p fp) 704 { 705 png_debug(1, "in png_init_io"); 706 707 if (png_ptr == NULL) 708 return; 709 710 png_ptr->io_ptr = (png_voidp)fp; 711 } 712 # endif 713 714 # ifdef PNG_SAVE_INT_32_SUPPORTED 715 /* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90 716 * defines a cast of a signed integer to an unsigned integer either to preserve 717 * the value, if it is positive, or to calculate: 718 * 719 * (UNSIGNED_MAX+1) + integer 720 * 721 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the 722 * negative integral value is added the result will be an unsigned value 723 * correspnding to the 2's complement representation. 724 */ 725 void PNGAPI 726 png_save_int_32(png_bytep buf, png_int_32 i) 727 { 728 png_save_uint_32(buf, (png_uint_32)i); 729 } 730 # endif 731 732 # ifdef PNG_TIME_RFC1123_SUPPORTED 733 /* Convert the supplied time into an RFC 1123 string suitable for use in 734 * a "Creation Time" or other text-based time string. 735 */ 736 int PNGAPI 737 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime) 738 { 739 static PNG_CONST char short_months[12][4] = 740 {"Jan", "Feb", "Mar", "Apr", "May", "Jun", 741 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"}; 742 743 if (out == NULL) 744 return 0; 745 746 if (ptime->year > 9999 /* RFC1123 limitation */ || 747 ptime->month == 0 || ptime->month > 12 || 748 ptime->day == 0 || ptime->day > 31 || 749 ptime->hour > 23 || ptime->minute > 59 || 750 ptime->second > 60) 751 return 0; 752 753 { 754 size_t pos = 0; 755 char number_buf[5]; /* enough for a four-digit year */ 756 757 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string)) 758 # define APPEND_NUMBER(format, value)\ 759 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value))) 760 # define APPEND(ch) if (pos < 28) out[pos++] = (ch) 761 762 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day); 763 APPEND(' '); 764 APPEND_STRING(short_months[(ptime->month - 1)]); 765 APPEND(' '); 766 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year); 767 APPEND(' '); 768 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour); 769 APPEND(':'); 770 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute); 771 APPEND(':'); 772 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second); 773 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */ 774 PNG_UNUSED (pos) 775 776 # undef APPEND 777 # undef APPEND_NUMBER 778 # undef APPEND_STRING 779 } 780 781 return 1; 782 } 783 784 # if PNG_LIBPNG_VER < 10700 785 /* To do: remove the following from libpng-1.7 */ 786 /* Original API that uses a private buffer in png_struct. 787 * Deprecated because it causes png_struct to carry a spurious temporary 788 * buffer (png_struct::time_buffer), better to have the caller pass this in. 789 */ 790 png_const_charp PNGAPI 791 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime) 792 { 793 if (png_ptr != NULL) 794 { 795 /* The only failure above if png_ptr != NULL is from an invalid ptime */ 796 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0) 797 png_warning(png_ptr, "Ignoring invalid time value"); 798 799 else 800 return png_ptr->time_buffer; 801 } 802 803 return NULL; 804 } 805 # endif /* LIBPNG_VER < 10700 */ 806 # endif /* TIME_RFC1123 */ 807 808 #endif /* READ || WRITE */ 809 810 png_const_charp PNGAPI 811 png_get_copyright(png_const_structrp png_ptr) 812 { 813 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 814 #ifdef PNG_STRING_COPYRIGHT 815 return PNG_STRING_COPYRIGHT 816 #else 817 # ifdef __STDC__ 818 return PNG_STRING_NEWLINE \ 819 "libpng version 1.6.34 - September 29, 2017" PNG_STRING_NEWLINE \ 820 "Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson" \ 821 PNG_STRING_NEWLINE \ 822 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ 823 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ 824 PNG_STRING_NEWLINE; 825 # else 826 return "libpng version 1.6.34 - September 29, 2017\ 827 Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson\ 828 Copyright (c) 1996-1997 Andreas Dilger\ 829 Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; 830 # endif 831 #endif 832 } 833 834 /* The following return the library version as a short string in the 835 * format 1.0.0 through 99.99.99zz. To get the version of *.h files 836 * used with your application, print out PNG_LIBPNG_VER_STRING, which 837 * is defined in png.h. 838 * Note: now there is no difference between png_get_libpng_ver() and 839 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard, 840 * it is guaranteed that png.c uses the correct version of png.h. 841 */ 842 png_const_charp PNGAPI 843 png_get_libpng_ver(png_const_structrp png_ptr) 844 { 845 /* Version of *.c files used when building libpng */ 846 return png_get_header_ver(png_ptr); 847 } 848 849 png_const_charp PNGAPI 850 png_get_header_ver(png_const_structrp png_ptr) 851 { 852 /* Version of *.h files used when building libpng */ 853 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 854 return PNG_LIBPNG_VER_STRING; 855 } 856 857 png_const_charp PNGAPI 858 png_get_header_version(png_const_structrp png_ptr) 859 { 860 /* Returns longer string containing both version and date */ 861 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 862 #ifdef __STDC__ 863 return PNG_HEADER_VERSION_STRING 864 # ifndef PNG_READ_SUPPORTED 865 " (NO READ SUPPORT)" 866 # endif 867 PNG_STRING_NEWLINE; 868 #else 869 return PNG_HEADER_VERSION_STRING; 870 #endif 871 } 872 873 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED 874 /* NOTE: this routine is not used internally! */ 875 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth 876 * large of png_color. This lets grayscale images be treated as 877 * paletted. Most useful for gamma correction and simplification 878 * of code. This API is not used internally. 879 */ 880 void PNGAPI 881 png_build_grayscale_palette(int bit_depth, png_colorp palette) 882 { 883 int num_palette; 884 int color_inc; 885 int i; 886 int v; 887 888 png_debug(1, "in png_do_build_grayscale_palette"); 889 890 if (palette == NULL) 891 return; 892 893 switch (bit_depth) 894 { 895 case 1: 896 num_palette = 2; 897 color_inc = 0xff; 898 break; 899 900 case 2: 901 num_palette = 4; 902 color_inc = 0x55; 903 break; 904 905 case 4: 906 num_palette = 16; 907 color_inc = 0x11; 908 break; 909 910 case 8: 911 num_palette = 256; 912 color_inc = 1; 913 break; 914 915 default: 916 num_palette = 0; 917 color_inc = 0; 918 break; 919 } 920 921 for (i = 0, v = 0; i < num_palette; i++, v += color_inc) 922 { 923 palette[i].red = (png_byte)(v & 0xff); 924 palette[i].green = (png_byte)(v & 0xff); 925 palette[i].blue = (png_byte)(v & 0xff); 926 } 927 } 928 #endif 929 930 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED 931 int PNGAPI 932 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name) 933 { 934 /* Check chunk_name and return "keep" value if it's on the list, else 0 */ 935 png_const_bytep p, p_end; 936 937 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0) 938 return PNG_HANDLE_CHUNK_AS_DEFAULT; 939 940 p_end = png_ptr->chunk_list; 941 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */ 942 943 /* The code is the fifth byte after each four byte string. Historically this 944 * code was always searched from the end of the list, this is no longer 945 * necessary because the 'set' routine handles duplicate entries correcty. 946 */ 947 do /* num_chunk_list > 0, so at least one */ 948 { 949 p -= 5; 950 951 if (memcmp(chunk_name, p, 4) == 0) 952 return p[4]; 953 } 954 while (p > p_end); 955 956 /* This means that known chunks should be processed and unknown chunks should 957 * be handled according to the value of png_ptr->unknown_default; this can be 958 * confusing because, as a result, there are two levels of defaulting for 959 * unknown chunks. 960 */ 961 return PNG_HANDLE_CHUNK_AS_DEFAULT; 962 } 963 964 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\ 965 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED) 966 int /* PRIVATE */ 967 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name) 968 { 969 png_byte chunk_string[5]; 970 971 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name); 972 return png_handle_as_unknown(png_ptr, chunk_string); 973 } 974 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */ 975 #endif /* SET_UNKNOWN_CHUNKS */ 976 977 #ifdef PNG_READ_SUPPORTED 978 /* This function, added to libpng-1.0.6g, is untested. */ 979 int PNGAPI 980 png_reset_zstream(png_structrp png_ptr) 981 { 982 if (png_ptr == NULL) 983 return Z_STREAM_ERROR; 984 985 /* WARNING: this resets the window bits to the maximum! */ 986 return (inflateReset(&png_ptr->zstream)); 987 } 988 #endif /* READ */ 989 990 /* This function was added to libpng-1.0.7 */ 991 png_uint_32 PNGAPI 992 png_access_version_number(void) 993 { 994 /* Version of *.c files used when building libpng */ 995 return((png_uint_32)PNG_LIBPNG_VER); 996 } 997 998 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 999 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string. 1000 * If it doesn't 'ret' is used to set it to something appropriate, even in cases 1001 * like Z_OK or Z_STREAM_END where the error code is apparently a success code. 1002 */ 1003 void /* PRIVATE */ 1004 png_zstream_error(png_structrp png_ptr, int ret) 1005 { 1006 /* Translate 'ret' into an appropriate error string, priority is given to the 1007 * one in zstream if set. This always returns a string, even in cases like 1008 * Z_OK or Z_STREAM_END where the error code is a success code. 1009 */ 1010 if (png_ptr->zstream.msg == NULL) switch (ret) 1011 { 1012 default: 1013 case Z_OK: 1014 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code"); 1015 break; 1016 1017 case Z_STREAM_END: 1018 /* Normal exit */ 1019 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream"); 1020 break; 1021 1022 case Z_NEED_DICT: 1023 /* This means the deflate stream did not have a dictionary; this 1024 * indicates a bogus PNG. 1025 */ 1026 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary"); 1027 break; 1028 1029 case Z_ERRNO: 1030 /* gz APIs only: should not happen */ 1031 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error"); 1032 break; 1033 1034 case Z_STREAM_ERROR: 1035 /* internal libpng error */ 1036 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib"); 1037 break; 1038 1039 case Z_DATA_ERROR: 1040 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream"); 1041 break; 1042 1043 case Z_MEM_ERROR: 1044 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory"); 1045 break; 1046 1047 case Z_BUF_ERROR: 1048 /* End of input or output; not a problem if the caller is doing 1049 * incremental read or write. 1050 */ 1051 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated"); 1052 break; 1053 1054 case Z_VERSION_ERROR: 1055 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version"); 1056 break; 1057 1058 case PNG_UNEXPECTED_ZLIB_RETURN: 1059 /* Compile errors here mean that zlib now uses the value co-opted in 1060 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above 1061 * and change pngpriv.h. Note that this message is "... return", 1062 * whereas the default/Z_OK one is "... return code". 1063 */ 1064 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return"); 1065 break; 1066 } 1067 } 1068 1069 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted 1070 * at libpng 1.5.5! 1071 */ 1072 1073 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */ 1074 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */ 1075 static int 1076 png_colorspace_check_gamma(png_const_structrp png_ptr, 1077 png_colorspacerp colorspace, png_fixed_point gAMA, int from) 1078 /* This is called to check a new gamma value against an existing one. The 1079 * routine returns false if the new gamma value should not be written. 1080 * 1081 * 'from' says where the new gamma value comes from: 1082 * 1083 * 0: the new gamma value is the libpng estimate for an ICC profile 1084 * 1: the new gamma value comes from a gAMA chunk 1085 * 2: the new gamma value comes from an sRGB chunk 1086 */ 1087 { 1088 png_fixed_point gtest; 1089 1090 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 && 1091 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 || 1092 png_gamma_significant(gtest) != 0)) 1093 { 1094 /* Either this is an sRGB image, in which case the calculated gamma 1095 * approximation should match, or this is an image with a profile and the 1096 * value libpng calculates for the gamma of the profile does not match the 1097 * value recorded in the file. The former, sRGB, case is an error, the 1098 * latter is just a warning. 1099 */ 1100 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2) 1101 { 1102 png_chunk_report(png_ptr, "gamma value does not match sRGB", 1103 PNG_CHUNK_ERROR); 1104 /* Do not overwrite an sRGB value */ 1105 return from == 2; 1106 } 1107 1108 else /* sRGB tag not involved */ 1109 { 1110 png_chunk_report(png_ptr, "gamma value does not match libpng estimate", 1111 PNG_CHUNK_WARNING); 1112 return from == 1; 1113 } 1114 } 1115 1116 return 1; 1117 } 1118 1119 void /* PRIVATE */ 1120 png_colorspace_set_gamma(png_const_structrp png_ptr, 1121 png_colorspacerp colorspace, png_fixed_point gAMA) 1122 { 1123 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't 1124 * occur. Since the fixed point representation is asymetrical it is 1125 * possible for 1/gamma to overflow the limit of 21474 and this means the 1126 * gamma value must be at least 5/100000 and hence at most 20000.0. For 1127 * safety the limits here are a little narrower. The values are 0.00016 to 1128 * 6250.0, which are truly ridiculous gamma values (and will produce 1129 * displays that are all black or all white.) 1130 * 1131 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk 1132 * handling code, which only required the value to be >0. 1133 */ 1134 png_const_charp errmsg; 1135 1136 if (gAMA < 16 || gAMA > 625000000) 1137 errmsg = "gamma value out of range"; 1138 1139 # ifdef PNG_READ_gAMA_SUPPORTED 1140 /* Allow the application to set the gamma value more than once */ 1141 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 && 1142 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0) 1143 errmsg = "duplicate"; 1144 # endif 1145 1146 /* Do nothing if the colorspace is already invalid */ 1147 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1148 return; 1149 1150 else 1151 { 1152 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA, 1153 1/*from gAMA*/) != 0) 1154 { 1155 /* Store this gamma value. */ 1156 colorspace->gamma = gAMA; 1157 colorspace->flags |= 1158 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA); 1159 } 1160 1161 /* At present if the check_gamma test fails the gamma of the colorspace is 1162 * not updated however the colorspace is not invalidated. This 1163 * corresponds to the case where the existing gamma comes from an sRGB 1164 * chunk or profile. An error message has already been output. 1165 */ 1166 return; 1167 } 1168 1169 /* Error exit - errmsg has been set. */ 1170 colorspace->flags |= PNG_COLORSPACE_INVALID; 1171 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR); 1172 } 1173 1174 void /* PRIVATE */ 1175 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr) 1176 { 1177 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) 1178 { 1179 /* Everything is invalid */ 1180 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB| 1181 PNG_INFO_iCCP); 1182 1183 # ifdef PNG_COLORSPACE_SUPPORTED 1184 /* Clean up the iCCP profile now if it won't be used. */ 1185 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/); 1186 # else 1187 PNG_UNUSED(png_ptr) 1188 # endif 1189 } 1190 1191 else 1192 { 1193 # ifdef PNG_COLORSPACE_SUPPORTED 1194 /* Leave the INFO_iCCP flag set if the pngset.c code has already set 1195 * it; this allows a PNG to contain a profile which matches sRGB and 1196 * yet still have that profile retrievable by the application. 1197 */ 1198 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0) 1199 info_ptr->valid |= PNG_INFO_sRGB; 1200 1201 else 1202 info_ptr->valid &= ~PNG_INFO_sRGB; 1203 1204 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1205 info_ptr->valid |= PNG_INFO_cHRM; 1206 1207 else 1208 info_ptr->valid &= ~PNG_INFO_cHRM; 1209 # endif 1210 1211 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0) 1212 info_ptr->valid |= PNG_INFO_gAMA; 1213 1214 else 1215 info_ptr->valid &= ~PNG_INFO_gAMA; 1216 } 1217 } 1218 1219 #ifdef PNG_READ_SUPPORTED 1220 void /* PRIVATE */ 1221 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr) 1222 { 1223 if (info_ptr == NULL) /* reduce code size; check here not in the caller */ 1224 return; 1225 1226 info_ptr->colorspace = png_ptr->colorspace; 1227 png_colorspace_sync_info(png_ptr, info_ptr); 1228 } 1229 #endif 1230 #endif /* GAMMA */ 1231 1232 #ifdef PNG_COLORSPACE_SUPPORTED 1233 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for 1234 * cHRM, as opposed to using chromaticities. These internal APIs return 1235 * non-zero on a parameter error. The X, Y and Z values are required to be 1236 * positive and less than 1.0. 1237 */ 1238 static int 1239 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ) 1240 { 1241 png_int_32 d, dwhite, whiteX, whiteY; 1242 1243 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z; 1244 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0) 1245 return 1; 1246 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0) 1247 return 1; 1248 dwhite = d; 1249 whiteX = XYZ->red_X; 1250 whiteY = XYZ->red_Y; 1251 1252 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z; 1253 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0) 1254 return 1; 1255 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0) 1256 return 1; 1257 dwhite += d; 1258 whiteX += XYZ->green_X; 1259 whiteY += XYZ->green_Y; 1260 1261 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z; 1262 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0) 1263 return 1; 1264 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0) 1265 return 1; 1266 dwhite += d; 1267 whiteX += XYZ->blue_X; 1268 whiteY += XYZ->blue_Y; 1269 1270 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors, 1271 * thus: 1272 */ 1273 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0) 1274 return 1; 1275 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0) 1276 return 1; 1277 1278 return 0; 1279 } 1280 1281 static int 1282 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy) 1283 { 1284 png_fixed_point red_inverse, green_inverse, blue_scale; 1285 png_fixed_point left, right, denominator; 1286 1287 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically 1288 * have end points with 0 tristimulus values (these are impossible end 1289 * points, but they are used to cover the possible colors). We check 1290 * xy->whitey against 5, not 0, to avoid a possible integer overflow. 1291 */ 1292 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1; 1293 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1; 1294 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1; 1295 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1; 1296 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1; 1297 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1; 1298 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1; 1299 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1; 1300 1301 /* The reverse calculation is more difficult because the original tristimulus 1302 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8 1303 * derived values were recorded in the cHRM chunk; 1304 * (red,green,blue,white)x(x,y). This loses one degree of freedom and 1305 * therefore an arbitrary ninth value has to be introduced to undo the 1306 * original transformations. 1307 * 1308 * Think of the original end-points as points in (X,Y,Z) space. The 1309 * chromaticity values (c) have the property: 1310 * 1311 * C 1312 * c = --------- 1313 * X + Y + Z 1314 * 1315 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the 1316 * three chromaticity values (x,y,z) for each end-point obey the 1317 * relationship: 1318 * 1319 * x + y + z = 1 1320 * 1321 * This describes the plane in (X,Y,Z) space that intersects each axis at the 1322 * value 1.0; call this the chromaticity plane. Thus the chromaticity 1323 * calculation has scaled each end-point so that it is on the x+y+z=1 plane 1324 * and chromaticity is the intersection of the vector from the origin to the 1325 * (X,Y,Z) value with the chromaticity plane. 1326 * 1327 * To fully invert the chromaticity calculation we would need the three 1328 * end-point scale factors, (red-scale, green-scale, blue-scale), but these 1329 * were not recorded. Instead we calculated the reference white (X,Y,Z) and 1330 * recorded the chromaticity of this. The reference white (X,Y,Z) would have 1331 * given all three of the scale factors since: 1332 * 1333 * color-C = color-c * color-scale 1334 * white-C = red-C + green-C + blue-C 1335 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1336 * 1337 * But cHRM records only white-x and white-y, so we have lost the white scale 1338 * factor: 1339 * 1340 * white-C = white-c*white-scale 1341 * 1342 * To handle this the inverse transformation makes an arbitrary assumption 1343 * about white-scale: 1344 * 1345 * Assume: white-Y = 1.0 1346 * Hence: white-scale = 1/white-y 1347 * Or: red-Y + green-Y + blue-Y = 1.0 1348 * 1349 * Notice the last statement of the assumption gives an equation in three of 1350 * the nine values we want to calculate. 8 more equations come from the 1351 * above routine as summarised at the top above (the chromaticity 1352 * calculation): 1353 * 1354 * Given: color-x = color-X / (color-X + color-Y + color-Z) 1355 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0 1356 * 1357 * This is 9 simultaneous equations in the 9 variables "color-C" and can be 1358 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix 1359 * determinants, however this is not as bad as it seems because only 28 of 1360 * the total of 90 terms in the various matrices are non-zero. Nevertheless 1361 * Cramer's rule is notoriously numerically unstable because the determinant 1362 * calculation involves the difference of large, but similar, numbers. It is 1363 * difficult to be sure that the calculation is stable for real world values 1364 * and it is certain that it becomes unstable where the end points are close 1365 * together. 1366 * 1367 * So this code uses the perhaps slightly less optimal but more 1368 * understandable and totally obvious approach of calculating color-scale. 1369 * 1370 * This algorithm depends on the precision in white-scale and that is 1371 * (1/white-y), so we can immediately see that as white-y approaches 0 the 1372 * accuracy inherent in the cHRM chunk drops off substantially. 1373 * 1374 * libpng arithmetic: a simple inversion of the above equations 1375 * ------------------------------------------------------------ 1376 * 1377 * white_scale = 1/white-y 1378 * white-X = white-x * white-scale 1379 * white-Y = 1.0 1380 * white-Z = (1 - white-x - white-y) * white_scale 1381 * 1382 * white-C = red-C + green-C + blue-C 1383 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1384 * 1385 * This gives us three equations in (red-scale,green-scale,blue-scale) where 1386 * all the coefficients are now known: 1387 * 1388 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale 1389 * = white-x/white-y 1390 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1 1391 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale 1392 * = (1 - white-x - white-y)/white-y 1393 * 1394 * In the last equation color-z is (1 - color-x - color-y) so we can add all 1395 * three equations together to get an alternative third: 1396 * 1397 * red-scale + green-scale + blue-scale = 1/white-y = white-scale 1398 * 1399 * So now we have a Cramer's rule solution where the determinants are just 1400 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve 1401 * multiplication of three coefficients so we can't guarantee to avoid 1402 * overflow in the libpng fixed point representation. Using Cramer's rule in 1403 * floating point is probably a good choice here, but it's not an option for 1404 * fixed point. Instead proceed to simplify the first two equations by 1405 * eliminating what is likely to be the largest value, blue-scale: 1406 * 1407 * blue-scale = white-scale - red-scale - green-scale 1408 * 1409 * Hence: 1410 * 1411 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale = 1412 * (white-x - blue-x)*white-scale 1413 * 1414 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale = 1415 * 1 - blue-y*white-scale 1416 * 1417 * And now we can trivially solve for (red-scale,green-scale): 1418 * 1419 * green-scale = 1420 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale 1421 * ----------------------------------------------------------- 1422 * green-x - blue-x 1423 * 1424 * red-scale = 1425 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale 1426 * --------------------------------------------------------- 1427 * red-y - blue-y 1428 * 1429 * Hence: 1430 * 1431 * red-scale = 1432 * ( (green-x - blue-x) * (white-y - blue-y) - 1433 * (green-y - blue-y) * (white-x - blue-x) ) / white-y 1434 * ------------------------------------------------------------------------- 1435 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1436 * 1437 * green-scale = 1438 * ( (red-y - blue-y) * (white-x - blue-x) - 1439 * (red-x - blue-x) * (white-y - blue-y) ) / white-y 1440 * ------------------------------------------------------------------------- 1441 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1442 * 1443 * Accuracy: 1444 * The input values have 5 decimal digits of accuracy. The values are all in 1445 * the range 0 < value < 1, so simple products are in the same range but may 1446 * need up to 10 decimal digits to preserve the original precision and avoid 1447 * underflow. Because we are using a 32-bit signed representation we cannot 1448 * match this; the best is a little over 9 decimal digits, less than 10. 1449 * 1450 * The approach used here is to preserve the maximum precision within the 1451 * signed representation. Because the red-scale calculation above uses the 1452 * difference between two products of values that must be in the range -1..+1 1453 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The 1454 * factor is irrelevant in the calculation because it is applied to both 1455 * numerator and denominator. 1456 * 1457 * Note that the values of the differences of the products of the 1458 * chromaticities in the above equations tend to be small, for example for 1459 * the sRGB chromaticities they are: 1460 * 1461 * red numerator: -0.04751 1462 * green numerator: -0.08788 1463 * denominator: -0.2241 (without white-y multiplication) 1464 * 1465 * The resultant Y coefficients from the chromaticities of some widely used 1466 * color space definitions are (to 15 decimal places): 1467 * 1468 * sRGB 1469 * 0.212639005871510 0.715168678767756 0.072192315360734 1470 * Kodak ProPhoto 1471 * 0.288071128229293 0.711843217810102 0.000085653960605 1472 * Adobe RGB 1473 * 0.297344975250536 0.627363566255466 0.075291458493998 1474 * Adobe Wide Gamut RGB 1475 * 0.258728243040113 0.724682314948566 0.016589442011321 1476 */ 1477 /* By the argument, above overflow should be impossible here. The return 1478 * value of 2 indicates an internal error to the caller. 1479 */ 1480 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0) 1481 return 2; 1482 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0) 1483 return 2; 1484 denominator = left - right; 1485 1486 /* Now find the red numerator. */ 1487 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1488 return 2; 1489 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1490 return 2; 1491 1492 /* Overflow is possible here and it indicates an extreme set of PNG cHRM 1493 * chunk values. This calculation actually returns the reciprocal of the 1494 * scale value because this allows us to delay the multiplication of white-y 1495 * into the denominator, which tends to produce a small number. 1496 */ 1497 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 || 1498 red_inverse <= xy->whitey /* r+g+b scales = white scale */) 1499 return 1; 1500 1501 /* Similarly for green_inverse: */ 1502 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1503 return 2; 1504 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1505 return 2; 1506 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 || 1507 green_inverse <= xy->whitey) 1508 return 1; 1509 1510 /* And the blue scale, the checks above guarantee this can't overflow but it 1511 * can still produce 0 for extreme cHRM values. 1512 */ 1513 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) - 1514 png_reciprocal(green_inverse); 1515 if (blue_scale <= 0) 1516 return 1; 1517 1518 1519 /* And fill in the png_XYZ: */ 1520 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0) 1521 return 1; 1522 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0) 1523 return 1; 1524 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1, 1525 red_inverse) == 0) 1526 return 1; 1527 1528 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0) 1529 return 1; 1530 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0) 1531 return 1; 1532 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1, 1533 green_inverse) == 0) 1534 return 1; 1535 1536 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0) 1537 return 1; 1538 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0) 1539 return 1; 1540 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale, 1541 PNG_FP_1) == 0) 1542 return 1; 1543 1544 return 0; /*success*/ 1545 } 1546 1547 static int 1548 png_XYZ_normalize(png_XYZ *XYZ) 1549 { 1550 png_int_32 Y; 1551 1552 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 || 1553 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 || 1554 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0) 1555 return 1; 1556 1557 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1. 1558 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore 1559 * relying on addition of two positive values producing a negative one is not 1560 * safe. 1561 */ 1562 Y = XYZ->red_Y; 1563 if (0x7fffffff - Y < XYZ->green_X) 1564 return 1; 1565 Y += XYZ->green_Y; 1566 if (0x7fffffff - Y < XYZ->blue_X) 1567 return 1; 1568 Y += XYZ->blue_Y; 1569 1570 if (Y != PNG_FP_1) 1571 { 1572 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0) 1573 return 1; 1574 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0) 1575 return 1; 1576 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0) 1577 return 1; 1578 1579 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0) 1580 return 1; 1581 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0) 1582 return 1; 1583 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0) 1584 return 1; 1585 1586 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0) 1587 return 1; 1588 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0) 1589 return 1; 1590 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0) 1591 return 1; 1592 } 1593 1594 return 0; 1595 } 1596 1597 static int 1598 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta) 1599 { 1600 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */ 1601 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) || 1602 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) || 1603 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) || 1604 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) || 1605 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) || 1606 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) || 1607 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) || 1608 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta)) 1609 return 0; 1610 return 1; 1611 } 1612 1613 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM 1614 * chunk chromaticities. Earlier checks used to simply look for the overflow 1615 * condition (where the determinant of the matrix to solve for XYZ ends up zero 1616 * because the chromaticity values are not all distinct.) Despite this it is 1617 * theoretically possible to produce chromaticities that are apparently valid 1618 * but that rapidly degrade to invalid, potentially crashing, sets because of 1619 * arithmetic inaccuracies when calculations are performed on them. The new 1620 * check is to round-trip xy -> XYZ -> xy and then check that the result is 1621 * within a small percentage of the original. 1622 */ 1623 static int 1624 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy) 1625 { 1626 int result; 1627 png_xy xy_test; 1628 1629 /* As a side-effect this routine also returns the XYZ endpoints. */ 1630 result = png_XYZ_from_xy(XYZ, xy); 1631 if (result != 0) 1632 return result; 1633 1634 result = png_xy_from_XYZ(&xy_test, XYZ); 1635 if (result != 0) 1636 return result; 1637 1638 if (png_colorspace_endpoints_match(xy, &xy_test, 1639 5/*actually, the math is pretty accurate*/) != 0) 1640 return 0; 1641 1642 /* Too much slip */ 1643 return 1; 1644 } 1645 1646 /* This is the check going the other way. The XYZ is modified to normalize it 1647 * (another side-effect) and the xy chromaticities are returned. 1648 */ 1649 static int 1650 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ) 1651 { 1652 int result; 1653 png_XYZ XYZtemp; 1654 1655 result = png_XYZ_normalize(XYZ); 1656 if (result != 0) 1657 return result; 1658 1659 result = png_xy_from_XYZ(xy, XYZ); 1660 if (result != 0) 1661 return result; 1662 1663 XYZtemp = *XYZ; 1664 return png_colorspace_check_xy(&XYZtemp, xy); 1665 } 1666 1667 /* Used to check for an endpoint match against sRGB */ 1668 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */ 1669 { 1670 /* color x y */ 1671 /* red */ 64000, 33000, 1672 /* green */ 30000, 60000, 1673 /* blue */ 15000, 6000, 1674 /* white */ 31270, 32900 1675 }; 1676 1677 static int 1678 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr, 1679 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ, 1680 int preferred) 1681 { 1682 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1683 return 0; 1684 1685 /* The consistency check is performed on the chromaticities; this factors out 1686 * variations because of the normalization (or not) of the end point Y 1687 * values. 1688 */ 1689 if (preferred < 2 && 1690 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1691 { 1692 /* The end points must be reasonably close to any we already have. The 1693 * following allows an error of up to +/-.001 1694 */ 1695 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy, 1696 100) == 0) 1697 { 1698 colorspace->flags |= PNG_COLORSPACE_INVALID; 1699 png_benign_error(png_ptr, "inconsistent chromaticities"); 1700 return 0; /* failed */ 1701 } 1702 1703 /* Only overwrite with preferred values */ 1704 if (preferred == 0) 1705 return 1; /* ok, but no change */ 1706 } 1707 1708 colorspace->end_points_xy = *xy; 1709 colorspace->end_points_XYZ = *XYZ; 1710 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS; 1711 1712 /* The end points are normally quoted to two decimal digits, so allow +/-0.01 1713 * on this test. 1714 */ 1715 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0) 1716 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB; 1717 1718 else 1719 colorspace->flags &= PNG_COLORSPACE_CANCEL( 1720 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1721 1722 return 2; /* ok and changed */ 1723 } 1724 1725 int /* PRIVATE */ 1726 png_colorspace_set_chromaticities(png_const_structrp png_ptr, 1727 png_colorspacerp colorspace, const png_xy *xy, int preferred) 1728 { 1729 /* We must check the end points to ensure they are reasonable - in the past 1730 * color management systems have crashed as a result of getting bogus 1731 * colorant values, while this isn't the fault of libpng it is the 1732 * responsibility of libpng because PNG carries the bomb and libpng is in a 1733 * position to protect against it. 1734 */ 1735 png_XYZ XYZ; 1736 1737 switch (png_colorspace_check_xy(&XYZ, xy)) 1738 { 1739 case 0: /* success */ 1740 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ, 1741 preferred); 1742 1743 case 1: 1744 /* We can't invert the chromaticities so we can't produce value XYZ 1745 * values. Likely as not a color management system will fail too. 1746 */ 1747 colorspace->flags |= PNG_COLORSPACE_INVALID; 1748 png_benign_error(png_ptr, "invalid chromaticities"); 1749 break; 1750 1751 default: 1752 /* libpng is broken; this should be a warning but if it happens we 1753 * want error reports so for the moment it is an error. 1754 */ 1755 colorspace->flags |= PNG_COLORSPACE_INVALID; 1756 png_error(png_ptr, "internal error checking chromaticities"); 1757 } 1758 1759 return 0; /* failed */ 1760 } 1761 1762 int /* PRIVATE */ 1763 png_colorspace_set_endpoints(png_const_structrp png_ptr, 1764 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred) 1765 { 1766 png_XYZ XYZ = *XYZ_in; 1767 png_xy xy; 1768 1769 switch (png_colorspace_check_XYZ(&xy, &XYZ)) 1770 { 1771 case 0: 1772 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ, 1773 preferred); 1774 1775 case 1: 1776 /* End points are invalid. */ 1777 colorspace->flags |= PNG_COLORSPACE_INVALID; 1778 png_benign_error(png_ptr, "invalid end points"); 1779 break; 1780 1781 default: 1782 colorspace->flags |= PNG_COLORSPACE_INVALID; 1783 png_error(png_ptr, "internal error checking chromaticities"); 1784 } 1785 1786 return 0; /* failed */ 1787 } 1788 1789 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED) 1790 /* Error message generation */ 1791 static char 1792 png_icc_tag_char(png_uint_32 byte) 1793 { 1794 byte &= 0xff; 1795 if (byte >= 32 && byte <= 126) 1796 return (char)byte; 1797 else 1798 return '?'; 1799 } 1800 1801 static void 1802 png_icc_tag_name(char *name, png_uint_32 tag) 1803 { 1804 name[0] = '\''; 1805 name[1] = png_icc_tag_char(tag >> 24); 1806 name[2] = png_icc_tag_char(tag >> 16); 1807 name[3] = png_icc_tag_char(tag >> 8); 1808 name[4] = png_icc_tag_char(tag ); 1809 name[5] = '\''; 1810 } 1811 1812 static int 1813 is_ICC_signature_char(png_alloc_size_t it) 1814 { 1815 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) || 1816 (it >= 97 && it <= 122); 1817 } 1818 1819 static int 1820 is_ICC_signature(png_alloc_size_t it) 1821 { 1822 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ && 1823 is_ICC_signature_char((it >> 16) & 0xff) && 1824 is_ICC_signature_char((it >> 8) & 0xff) && 1825 is_ICC_signature_char(it & 0xff); 1826 } 1827 1828 static int 1829 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace, 1830 png_const_charp name, png_alloc_size_t value, png_const_charp reason) 1831 { 1832 size_t pos; 1833 char message[196]; /* see below for calculation */ 1834 1835 if (colorspace != NULL) 1836 colorspace->flags |= PNG_COLORSPACE_INVALID; 1837 1838 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */ 1839 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */ 1840 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */ 1841 if (is_ICC_signature(value) != 0) 1842 { 1843 /* So 'value' is at most 4 bytes and the following cast is safe */ 1844 png_icc_tag_name(message+pos, (png_uint_32)value); 1845 pos += 6; /* total +8; less than the else clause */ 1846 message[pos++] = ':'; 1847 message[pos++] = ' '; 1848 } 1849 # ifdef PNG_WARNINGS_SUPPORTED 1850 else 1851 { 1852 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/ 1853 1854 pos = png_safecat(message, (sizeof message), pos, 1855 png_format_number(number, number+(sizeof number), 1856 PNG_NUMBER_FORMAT_x, value)); 1857 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/ 1858 } 1859 # endif 1860 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */ 1861 pos = png_safecat(message, (sizeof message), pos, reason); 1862 PNG_UNUSED(pos) 1863 1864 /* This is recoverable, but make it unconditionally an app_error on write to 1865 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them 1866 * on read, with a warning, but on write unless the app turns off 1867 * application errors the PNG won't be written.) 1868 */ 1869 png_chunk_report(png_ptr, message, 1870 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR); 1871 1872 return 0; 1873 } 1874 #endif /* sRGB || iCCP */ 1875 1876 #ifdef PNG_sRGB_SUPPORTED 1877 int /* PRIVATE */ 1878 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace, 1879 int intent) 1880 { 1881 /* sRGB sets known gamma, end points and (from the chunk) intent. */ 1882 /* IMPORTANT: these are not necessarily the values found in an ICC profile 1883 * because ICC profiles store values adapted to a D50 environment; it is 1884 * expected that the ICC profile mediaWhitePointTag will be D50; see the 1885 * checks and code elsewhere to understand this better. 1886 * 1887 * These XYZ values, which are accurate to 5dp, produce rgb to gray 1888 * coefficients of (6968,23435,2366), which are reduced (because they add up 1889 * to 32769 not 32768) to (6968,23434,2366). These are the values that 1890 * libpng has traditionally used (and are the best values given the 15bit 1891 * algorithm used by the rgb to gray code.) 1892 */ 1893 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */ 1894 { 1895 /* color X Y Z */ 1896 /* red */ 41239, 21264, 1933, 1897 /* green */ 35758, 71517, 11919, 1898 /* blue */ 18048, 7219, 95053 1899 }; 1900 1901 /* Do nothing if the colorspace is already invalidated. */ 1902 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1903 return 0; 1904 1905 /* Check the intent, then check for existing settings. It is valid for the 1906 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must 1907 * be consistent with the correct values. If, however, this function is 1908 * called below because an iCCP chunk matches sRGB then it is quite 1909 * conceivable that an older app recorded incorrect gAMA and cHRM because of 1910 * an incorrect calculation based on the values in the profile - this does 1911 * *not* invalidate the profile (though it still produces an error, which can 1912 * be ignored.) 1913 */ 1914 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST) 1915 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1916 (png_alloc_size_t)intent, "invalid sRGB rendering intent"); 1917 1918 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 && 1919 colorspace->rendering_intent != intent) 1920 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1921 (png_alloc_size_t)intent, "inconsistent rendering intents"); 1922 1923 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0) 1924 { 1925 png_benign_error(png_ptr, "duplicate sRGB information ignored"); 1926 return 0; 1927 } 1928 1929 /* If the standard sRGB cHRM chunk does not match the one from the PNG file 1930 * warn but overwrite the value with the correct one. 1931 */ 1932 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 && 1933 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy, 1934 100)) 1935 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB", 1936 PNG_CHUNK_ERROR); 1937 1938 /* This check is just done for the error reporting - the routine always 1939 * returns true when the 'from' argument corresponds to sRGB (2). 1940 */ 1941 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE, 1942 2/*from sRGB*/); 1943 1944 /* intent: bugs in GCC force 'int' to be used as the parameter type. */ 1945 colorspace->rendering_intent = (png_uint_16)intent; 1946 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT; 1947 1948 /* endpoints */ 1949 colorspace->end_points_xy = sRGB_xy; 1950 colorspace->end_points_XYZ = sRGB_XYZ; 1951 colorspace->flags |= 1952 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1953 1954 /* gamma */ 1955 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE; 1956 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA; 1957 1958 /* Finally record that we have an sRGB profile */ 1959 colorspace->flags |= 1960 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB); 1961 1962 return 1; /* set */ 1963 } 1964 #endif /* sRGB */ 1965 1966 #ifdef PNG_iCCP_SUPPORTED 1967 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value 1968 * is XYZ(0.9642,1.0,0.8249), which scales to: 1969 * 1970 * (63189.8112, 65536, 54060.6464) 1971 */ 1972 static const png_byte D50_nCIEXYZ[12] = 1973 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d }; 1974 1975 static int /* bool */ 1976 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 1977 png_const_charp name, png_uint_32 profile_length) 1978 { 1979 if (profile_length < 132) 1980 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 1981 "too short"); 1982 return 1; 1983 } 1984 1985 #ifdef PNG_READ_iCCP_SUPPORTED 1986 int /* PRIVATE */ 1987 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 1988 png_const_charp name, png_uint_32 profile_length) 1989 { 1990 if (!icc_check_length(png_ptr, colorspace, name, profile_length)) 1991 return 0; 1992 1993 /* This needs to be here because the 'normal' check is in 1994 * png_decompress_chunk, yet this happens after the attempt to 1995 * png_malloc_base the required data. We only need this on read; on write 1996 * the caller supplies the profile buffer so libpng doesn't allocate it. See 1997 * the call to icc_check_length below (the write case). 1998 */ 1999 # ifdef PNG_SET_USER_LIMITS_SUPPORTED 2000 else if (png_ptr->user_chunk_malloc_max > 0 && 2001 png_ptr->user_chunk_malloc_max < profile_length) 2002 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2003 "exceeds application limits"); 2004 # elif PNG_USER_CHUNK_MALLOC_MAX > 0 2005 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length) 2006 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2007 "exceeds libpng limits"); 2008 # else /* !SET_USER_LIMITS */ 2009 /* This will get compiled out on all 32-bit and better systems. */ 2010 else if (PNG_SIZE_MAX < profile_length) 2011 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2012 "exceeds system limits"); 2013 # endif /* !SET_USER_LIMITS */ 2014 2015 return 1; 2016 } 2017 #endif /* READ_iCCP */ 2018 2019 int /* PRIVATE */ 2020 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace, 2021 png_const_charp name, png_uint_32 profile_length, 2022 png_const_bytep profile/* first 132 bytes only */, int color_type) 2023 { 2024 png_uint_32 temp; 2025 2026 /* Length check; this cannot be ignored in this code because profile_length 2027 * is used later to check the tag table, so even if the profile seems over 2028 * long profile_length from the caller must be correct. The caller can fix 2029 * this up on read or write by just passing in the profile header length. 2030 */ 2031 temp = png_get_uint_32(profile); 2032 if (temp != profile_length) 2033 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2034 "length does not match profile"); 2035 2036 temp = (png_uint_32) (*(profile+8)); 2037 if (temp > 3 && (profile_length & 3)) 2038 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 2039 "invalid length"); 2040 2041 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */ 2042 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */ 2043 profile_length < 132+12*temp) /* truncated tag table */ 2044 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2045 "tag count too large"); 2046 2047 /* The 'intent' must be valid or we can't store it, ICC limits the intent to 2048 * 16 bits. 2049 */ 2050 temp = png_get_uint_32(profile+64); 2051 if (temp >= 0xffff) /* The ICC limit */ 2052 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2053 "invalid rendering intent"); 2054 2055 /* This is just a warning because the profile may be valid in future 2056 * versions. 2057 */ 2058 if (temp >= PNG_sRGB_INTENT_LAST) 2059 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2060 "intent outside defined range"); 2061 2062 /* At this point the tag table can't be checked because it hasn't necessarily 2063 * been loaded; however, various header fields can be checked. These checks 2064 * are for values permitted by the PNG spec in an ICC profile; the PNG spec 2065 * restricts the profiles that can be passed in an iCCP chunk (they must be 2066 * appropriate to processing PNG data!) 2067 */ 2068 2069 /* Data checks (could be skipped). These checks must be independent of the 2070 * version number; however, the version number doesn't accomodate changes in 2071 * the header fields (just the known tags and the interpretation of the 2072 * data.) 2073 */ 2074 temp = png_get_uint_32(profile+36); /* signature 'ascp' */ 2075 if (temp != 0x61637370) 2076 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2077 "invalid signature"); 2078 2079 /* Currently the PCS illuminant/adopted white point (the computational 2080 * white point) are required to be D50, 2081 * however the profile contains a record of the illuminant so perhaps ICC 2082 * expects to be able to change this in the future (despite the rationale in 2083 * the introduction for using a fixed PCS adopted white.) Consequently the 2084 * following is just a warning. 2085 */ 2086 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0) 2087 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/, 2088 "PCS illuminant is not D50"); 2089 2090 /* The PNG spec requires this: 2091 * "If the iCCP chunk is present, the image samples conform to the colour 2092 * space represented by the embedded ICC profile as defined by the 2093 * International Color Consortium [ICC]. The colour space of the ICC profile 2094 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and 2095 * 6), or a greyscale colour space for greyscale images (PNG colour types 0 2096 * and 4)." 2097 * 2098 * This checking code ensures the embedded profile (on either read or write) 2099 * conforms to the specification requirements. Notice that an ICC 'gray' 2100 * color-space profile contains the information to transform the monochrome 2101 * data to XYZ or L*a*b (according to which PCS the profile uses) and this 2102 * should be used in preference to the standard libpng K channel replication 2103 * into R, G and B channels. 2104 * 2105 * Previously it was suggested that an RGB profile on grayscale data could be 2106 * handled. However it it is clear that using an RGB profile in this context 2107 * must be an error - there is no specification of what it means. Thus it is 2108 * almost certainly more correct to ignore the profile. 2109 */ 2110 temp = png_get_uint_32(profile+16); /* data colour space field */ 2111 switch (temp) 2112 { 2113 case 0x52474220: /* 'RGB ' */ 2114 if ((color_type & PNG_COLOR_MASK_COLOR) == 0) 2115 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2116 "RGB color space not permitted on grayscale PNG"); 2117 break; 2118 2119 case 0x47524159: /* 'GRAY' */ 2120 if ((color_type & PNG_COLOR_MASK_COLOR) != 0) 2121 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2122 "Gray color space not permitted on RGB PNG"); 2123 break; 2124 2125 default: 2126 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2127 "invalid ICC profile color space"); 2128 } 2129 2130 /* It is up to the application to check that the profile class matches the 2131 * application requirements; the spec provides no guidance, but it's pretty 2132 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer 2133 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these 2134 * cases. Issue an error for device link or abstract profiles - these don't 2135 * contain the records necessary to transform the color-space to anything 2136 * other than the target device (and not even that for an abstract profile). 2137 * Profiles of these classes may not be embedded in images. 2138 */ 2139 temp = png_get_uint_32(profile+12); /* profile/device class */ 2140 switch (temp) 2141 { 2142 case 0x73636e72: /* 'scnr' */ 2143 case 0x6d6e7472: /* 'mntr' */ 2144 case 0x70727472: /* 'prtr' */ 2145 case 0x73706163: /* 'spac' */ 2146 /* All supported */ 2147 break; 2148 2149 case 0x61627374: /* 'abst' */ 2150 /* May not be embedded in an image */ 2151 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2152 "invalid embedded Abstract ICC profile"); 2153 2154 case 0x6c696e6b: /* 'link' */ 2155 /* DeviceLink profiles cannot be interpreted in a non-device specific 2156 * fashion, if an app uses the AToB0Tag in the profile the results are 2157 * undefined unless the result is sent to the intended device, 2158 * therefore a DeviceLink profile should not be found embedded in a 2159 * PNG. 2160 */ 2161 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2162 "unexpected DeviceLink ICC profile class"); 2163 2164 case 0x6e6d636c: /* 'nmcl' */ 2165 /* A NamedColor profile is also device specific, however it doesn't 2166 * contain an AToB0 tag that is open to misinterpretation. Almost 2167 * certainly it will fail the tests below. 2168 */ 2169 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2170 "unexpected NamedColor ICC profile class"); 2171 break; 2172 2173 default: 2174 /* To allow for future enhancements to the profile accept unrecognized 2175 * profile classes with a warning, these then hit the test below on the 2176 * tag content to ensure they are backward compatible with one of the 2177 * understood profiles. 2178 */ 2179 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2180 "unrecognized ICC profile class"); 2181 break; 2182 } 2183 2184 /* For any profile other than a device link one the PCS must be encoded 2185 * either in XYZ or Lab. 2186 */ 2187 temp = png_get_uint_32(profile+20); 2188 switch (temp) 2189 { 2190 case 0x58595a20: /* 'XYZ ' */ 2191 case 0x4c616220: /* 'Lab ' */ 2192 break; 2193 2194 default: 2195 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2196 "unexpected ICC PCS encoding"); 2197 } 2198 2199 return 1; 2200 } 2201 2202 int /* PRIVATE */ 2203 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace, 2204 png_const_charp name, png_uint_32 profile_length, 2205 png_const_bytep profile /* header plus whole tag table */) 2206 { 2207 png_uint_32 tag_count = png_get_uint_32(profile+128); 2208 png_uint_32 itag; 2209 png_const_bytep tag = profile+132; /* The first tag */ 2210 2211 /* First scan all the tags in the table and add bits to the icc_info value 2212 * (temporarily in 'tags'). 2213 */ 2214 for (itag=0; itag < tag_count; ++itag, tag += 12) 2215 { 2216 png_uint_32 tag_id = png_get_uint_32(tag+0); 2217 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */ 2218 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */ 2219 2220 /* The ICC specification does not exclude zero length tags, therefore the 2221 * start might actually be anywhere if there is no data, but this would be 2222 * a clear abuse of the intent of the standard so the start is checked for 2223 * being in range. All defined tag types have an 8 byte header - a 4 byte 2224 * type signature then 0. 2225 */ 2226 2227 /* This is a hard error; potentially it can cause read outside the 2228 * profile. 2229 */ 2230 if (tag_start > profile_length || tag_length > profile_length - tag_start) 2231 return png_icc_profile_error(png_ptr, colorspace, name, tag_id, 2232 "ICC profile tag outside profile"); 2233 2234 if ((tag_start & 3) != 0) 2235 { 2236 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is 2237 * only a warning here because libpng does not care about the 2238 * alignment. 2239 */ 2240 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id, 2241 "ICC profile tag start not a multiple of 4"); 2242 } 2243 } 2244 2245 return 1; /* success, maybe with warnings */ 2246 } 2247 2248 #ifdef PNG_sRGB_SUPPORTED 2249 #if PNG_sRGB_PROFILE_CHECKS >= 0 2250 /* Information about the known ICC sRGB profiles */ 2251 static const struct 2252 { 2253 png_uint_32 adler, crc, length; 2254 png_uint_32 md5[4]; 2255 png_byte have_md5; 2256 png_byte is_broken; 2257 png_uint_16 intent; 2258 2259 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0) 2260 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\ 2261 { adler, crc, length, md5, broke, intent }, 2262 2263 } png_sRGB_checks[] = 2264 { 2265 /* This data comes from contrib/tools/checksum-icc run on downloads of 2266 * all four ICC sRGB profiles from www.color.org. 2267 */ 2268 /* adler32, crc32, MD5[4], intent, date, length, file-name */ 2269 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9, 2270 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0, 2271 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc") 2272 2273 /* ICC sRGB v2 perceptual no black-compensation: */ 2274 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21, 2275 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0, 2276 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc") 2277 2278 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae, 2279 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0, 2280 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc") 2281 2282 /* ICC sRGB v4 perceptual */ 2283 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812, 2284 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0, 2285 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc") 2286 2287 /* The following profiles have no known MD5 checksum. If there is a match 2288 * on the (empty) MD5 the other fields are used to attempt a match and 2289 * a warning is produced. The first two of these profiles have a 'cprt' tag 2290 * which suggests that they were also made by Hewlett Packard. 2291 */ 2292 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce, 2293 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0, 2294 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc") 2295 2296 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not 2297 * match the D50 PCS illuminant in the header (it is in fact the D65 values, 2298 * so the white point is recorded as the un-adapted value.) The profiles 2299 * below only differ in one byte - the intent - and are basically the same as 2300 * the previous profile except for the mediaWhitePointTag error and a missing 2301 * chromaticAdaptationTag. 2302 */ 2303 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552, 2304 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/, 2305 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual") 2306 2307 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d, 2308 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/, 2309 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative") 2310 }; 2311 2312 static int 2313 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr, 2314 png_const_bytep profile, uLong adler) 2315 { 2316 /* The quick check is to verify just the MD5 signature and trust the 2317 * rest of the data. Because the profile has already been verified for 2318 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent' 2319 * field too, so if the profile has been edited with an intent not defined 2320 * by sRGB (but maybe defined by a later ICC specification) the read of 2321 * the profile will fail at that point. 2322 */ 2323 2324 png_uint_32 length = 0; 2325 png_uint_32 intent = 0x10000; /* invalid */ 2326 #if PNG_sRGB_PROFILE_CHECKS > 1 2327 uLong crc = 0; /* the value for 0 length data */ 2328 #endif 2329 unsigned int i; 2330 2331 #ifdef PNG_SET_OPTION_SUPPORTED 2332 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */ 2333 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) == 2334 PNG_OPTION_ON) 2335 return 0; 2336 #endif 2337 2338 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i) 2339 { 2340 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] && 2341 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] && 2342 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] && 2343 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3]) 2344 { 2345 /* This may be one of the old HP profiles without an MD5, in that 2346 * case we can only use the length and Adler32 (note that these 2347 * are not used by default if there is an MD5!) 2348 */ 2349 # if PNG_sRGB_PROFILE_CHECKS == 0 2350 if (png_sRGB_checks[i].have_md5 != 0) 2351 return 1+png_sRGB_checks[i].is_broken; 2352 # endif 2353 2354 /* Profile is unsigned or more checks have been configured in. */ 2355 if (length == 0) 2356 { 2357 length = png_get_uint_32(profile); 2358 intent = png_get_uint_32(profile+64); 2359 } 2360 2361 /* Length *and* intent must match */ 2362 if (length == (png_uint_32) png_sRGB_checks[i].length && 2363 intent == (png_uint_32) png_sRGB_checks[i].intent) 2364 { 2365 /* Now calculate the adler32 if not done already. */ 2366 if (adler == 0) 2367 { 2368 adler = adler32(0, NULL, 0); 2369 adler = adler32(adler, profile, length); 2370 } 2371 2372 if (adler == png_sRGB_checks[i].adler) 2373 { 2374 /* These basic checks suggest that the data has not been 2375 * modified, but if the check level is more than 1 perform 2376 * our own crc32 checksum on the data. 2377 */ 2378 # if PNG_sRGB_PROFILE_CHECKS > 1 2379 if (crc == 0) 2380 { 2381 crc = crc32(0, NULL, 0); 2382 crc = crc32(crc, profile, length); 2383 } 2384 2385 /* So this check must pass for the 'return' below to happen. 2386 */ 2387 if (crc == png_sRGB_checks[i].crc) 2388 # endif 2389 { 2390 if (png_sRGB_checks[i].is_broken != 0) 2391 { 2392 /* These profiles are known to have bad data that may cause 2393 * problems if they are used, therefore attempt to 2394 * discourage their use, skip the 'have_md5' warning below, 2395 * which is made irrelevant by this error. 2396 */ 2397 png_chunk_report(png_ptr, "known incorrect sRGB profile", 2398 PNG_CHUNK_ERROR); 2399 } 2400 2401 /* Warn that this being done; this isn't even an error since 2402 * the profile is perfectly valid, but it would be nice if 2403 * people used the up-to-date ones. 2404 */ 2405 else if (png_sRGB_checks[i].have_md5 == 0) 2406 { 2407 png_chunk_report(png_ptr, 2408 "out-of-date sRGB profile with no signature", 2409 PNG_CHUNK_WARNING); 2410 } 2411 2412 return 1+png_sRGB_checks[i].is_broken; 2413 } 2414 } 2415 2416 # if PNG_sRGB_PROFILE_CHECKS > 0 2417 /* The signature matched, but the profile had been changed in some 2418 * way. This probably indicates a data error or uninformed hacking. 2419 * Fall through to "no match". 2420 */ 2421 png_chunk_report(png_ptr, 2422 "Not recognizing known sRGB profile that has been edited", 2423 PNG_CHUNK_WARNING); 2424 break; 2425 # endif 2426 } 2427 } 2428 } 2429 2430 return 0; /* no match */ 2431 } 2432 2433 void /* PRIVATE */ 2434 png_icc_set_sRGB(png_const_structrp png_ptr, 2435 png_colorspacerp colorspace, png_const_bytep profile, uLong adler) 2436 { 2437 /* Is this profile one of the known ICC sRGB profiles? If it is, just set 2438 * the sRGB information. 2439 */ 2440 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0) 2441 (void)png_colorspace_set_sRGB(png_ptr, colorspace, 2442 (int)/*already checked*/png_get_uint_32(profile+64)); 2443 } 2444 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */ 2445 #endif /* sRGB */ 2446 2447 int /* PRIVATE */ 2448 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace, 2449 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile, 2450 int color_type) 2451 { 2452 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 2453 return 0; 2454 2455 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && 2456 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile, 2457 color_type) != 0 && 2458 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length, 2459 profile) != 0) 2460 { 2461 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0 2462 /* If no sRGB support, don't try storing sRGB information */ 2463 png_icc_set_sRGB(png_ptr, colorspace, profile, 0); 2464 # endif 2465 return 1; 2466 } 2467 2468 /* Failure case */ 2469 return 0; 2470 } 2471 #endif /* iCCP */ 2472 2473 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED 2474 void /* PRIVATE */ 2475 png_colorspace_set_rgb_coefficients(png_structrp png_ptr) 2476 { 2477 /* Set the rgb_to_gray coefficients from the colorspace. */ 2478 if (png_ptr->rgb_to_gray_coefficients_set == 0 && 2479 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 2480 { 2481 /* png_set_background has not been called, get the coefficients from the Y 2482 * values of the colorspace colorants. 2483 */ 2484 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y; 2485 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y; 2486 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y; 2487 png_fixed_point total = r+g+b; 2488 2489 if (total > 0 && 2490 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 && 2491 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 && 2492 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 && 2493 r+g+b <= 32769) 2494 { 2495 /* We allow 0 coefficients here. r+g+b may be 32769 if two or 2496 * all of the coefficients were rounded up. Handle this by 2497 * reducing the *largest* coefficient by 1; this matches the 2498 * approach used for the default coefficients in pngrtran.c 2499 */ 2500 int add = 0; 2501 2502 if (r+g+b > 32768) 2503 add = -1; 2504 else if (r+g+b < 32768) 2505 add = 1; 2506 2507 if (add != 0) 2508 { 2509 if (g >= r && g >= b) 2510 g += add; 2511 else if (r >= g && r >= b) 2512 r += add; 2513 else 2514 b += add; 2515 } 2516 2517 /* Check for an internal error. */ 2518 if (r+g+b != 32768) 2519 png_error(png_ptr, 2520 "internal error handling cHRM coefficients"); 2521 2522 else 2523 { 2524 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r; 2525 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g; 2526 } 2527 } 2528 2529 /* This is a png_error at present even though it could be ignored - 2530 * it should never happen, but it is important that if it does, the 2531 * bug is fixed. 2532 */ 2533 else 2534 png_error(png_ptr, "internal error handling cHRM->XYZ"); 2535 } 2536 } 2537 #endif /* READ_RGB_TO_GRAY */ 2538 2539 #endif /* COLORSPACE */ 2540 2541 #ifdef __GNUC__ 2542 /* This exists solely to work round a warning from GNU C. */ 2543 static int /* PRIVATE */ 2544 png_gt(size_t a, size_t b) 2545 { 2546 return a > b; 2547 } 2548 #else 2549 # define png_gt(a,b) ((a) > (b)) 2550 #endif 2551 2552 void /* PRIVATE */ 2553 png_check_IHDR(png_const_structrp png_ptr, 2554 png_uint_32 width, png_uint_32 height, int bit_depth, 2555 int color_type, int interlace_type, int compression_type, 2556 int filter_type) 2557 { 2558 int error = 0; 2559 2560 /* Check for width and height valid values */ 2561 if (width == 0) 2562 { 2563 png_warning(png_ptr, "Image width is zero in IHDR"); 2564 error = 1; 2565 } 2566 2567 if (width > PNG_UINT_31_MAX) 2568 { 2569 png_warning(png_ptr, "Invalid image width in IHDR"); 2570 error = 1; 2571 } 2572 2573 if (png_gt(((width + 7) & (~7U)), 2574 ((PNG_SIZE_MAX 2575 - 48 /* big_row_buf hack */ 2576 - 1) /* filter byte */ 2577 / 8) /* 8-byte RGBA pixels */ 2578 - 1)) /* extra max_pixel_depth pad */ 2579 { 2580 /* The size of the row must be within the limits of this architecture. 2581 * Because the read code can perform arbitrary transformations the 2582 * maximum size is checked here. Because the code in png_read_start_row 2583 * adds extra space "for safety's sake" in several places a conservative 2584 * limit is used here. 2585 * 2586 * NOTE: it would be far better to check the size that is actually used, 2587 * but the effect in the real world is minor and the changes are more 2588 * extensive, therefore much more dangerous and much more difficult to 2589 * write in a way that avoids compiler warnings. 2590 */ 2591 png_warning(png_ptr, "Image width is too large for this architecture"); 2592 error = 1; 2593 } 2594 2595 #ifdef PNG_SET_USER_LIMITS_SUPPORTED 2596 if (width > png_ptr->user_width_max) 2597 #else 2598 if (width > PNG_USER_WIDTH_MAX) 2599 #endif 2600 { 2601 png_warning(png_ptr, "Image width exceeds user limit in IHDR"); 2602 error = 1; 2603 } 2604 2605 if (height == 0) 2606 { 2607 png_warning(png_ptr, "Image height is zero in IHDR"); 2608 error = 1; 2609 } 2610 2611 if (height > PNG_UINT_31_MAX) 2612 { 2613 png_warning(png_ptr, "Invalid image height in IHDR"); 2614 error = 1; 2615 } 2616 2617 #ifdef PNG_SET_USER_LIMITS_SUPPORTED 2618 if (height > png_ptr->user_height_max) 2619 #else 2620 if (height > PNG_USER_HEIGHT_MAX) 2621 #endif 2622 { 2623 png_warning(png_ptr, "Image height exceeds user limit in IHDR"); 2624 error = 1; 2625 } 2626 2627 /* Check other values */ 2628 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 && 2629 bit_depth != 8 && bit_depth != 16) 2630 { 2631 png_warning(png_ptr, "Invalid bit depth in IHDR"); 2632 error = 1; 2633 } 2634 2635 if (color_type < 0 || color_type == 1 || 2636 color_type == 5 || color_type > 6) 2637 { 2638 png_warning(png_ptr, "Invalid color type in IHDR"); 2639 error = 1; 2640 } 2641 2642 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) || 2643 ((color_type == PNG_COLOR_TYPE_RGB || 2644 color_type == PNG_COLOR_TYPE_GRAY_ALPHA || 2645 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8)) 2646 { 2647 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR"); 2648 error = 1; 2649 } 2650 2651 if (interlace_type >= PNG_INTERLACE_LAST) 2652 { 2653 png_warning(png_ptr, "Unknown interlace method in IHDR"); 2654 error = 1; 2655 } 2656 2657 if (compression_type != PNG_COMPRESSION_TYPE_BASE) 2658 { 2659 png_warning(png_ptr, "Unknown compression method in IHDR"); 2660 error = 1; 2661 } 2662 2663 #ifdef PNG_MNG_FEATURES_SUPPORTED 2664 /* Accept filter_method 64 (intrapixel differencing) only if 2665 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and 2666 * 2. Libpng did not read a PNG signature (this filter_method is only 2667 * used in PNG datastreams that are embedded in MNG datastreams) and 2668 * 3. The application called png_permit_mng_features with a mask that 2669 * included PNG_FLAG_MNG_FILTER_64 and 2670 * 4. The filter_method is 64 and 2671 * 5. The color_type is RGB or RGBA 2672 */ 2673 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 && 2674 png_ptr->mng_features_permitted != 0) 2675 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream"); 2676 2677 if (filter_type != PNG_FILTER_TYPE_BASE) 2678 { 2679 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 && 2680 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) && 2681 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) && 2682 (color_type == PNG_COLOR_TYPE_RGB || 2683 color_type == PNG_COLOR_TYPE_RGB_ALPHA))) 2684 { 2685 png_warning(png_ptr, "Unknown filter method in IHDR"); 2686 error = 1; 2687 } 2688 2689 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0) 2690 { 2691 png_warning(png_ptr, "Invalid filter method in IHDR"); 2692 error = 1; 2693 } 2694 } 2695 2696 #else 2697 if (filter_type != PNG_FILTER_TYPE_BASE) 2698 { 2699 png_warning(png_ptr, "Unknown filter method in IHDR"); 2700 error = 1; 2701 } 2702 #endif 2703 2704 if (error == 1) 2705 png_error(png_ptr, "Invalid IHDR data"); 2706 } 2707 2708 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) 2709 /* ASCII to fp functions */ 2710 /* Check an ASCII formated floating point value, see the more detailed 2711 * comments in pngpriv.h 2712 */ 2713 /* The following is used internally to preserve the sticky flags */ 2714 #define png_fp_add(state, flags) ((state) |= (flags)) 2715 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY)) 2716 2717 int /* PRIVATE */ 2718 png_check_fp_number(png_const_charp string, png_size_t size, int *statep, 2719 png_size_tp whereami) 2720 { 2721 int state = *statep; 2722 png_size_t i = *whereami; 2723 2724 while (i < size) 2725 { 2726 int type; 2727 /* First find the type of the next character */ 2728 switch (string[i]) 2729 { 2730 case 43: type = PNG_FP_SAW_SIGN; break; 2731 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break; 2732 case 46: type = PNG_FP_SAW_DOT; break; 2733 case 48: type = PNG_FP_SAW_DIGIT; break; 2734 case 49: case 50: case 51: case 52: 2735 case 53: case 54: case 55: case 56: 2736 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break; 2737 case 69: 2738 case 101: type = PNG_FP_SAW_E; break; 2739 default: goto PNG_FP_End; 2740 } 2741 2742 /* Now deal with this type according to the current 2743 * state, the type is arranged to not overlap the 2744 * bits of the PNG_FP_STATE. 2745 */ 2746 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY)) 2747 { 2748 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN: 2749 if ((state & PNG_FP_SAW_ANY) != 0) 2750 goto PNG_FP_End; /* not a part of the number */ 2751 2752 png_fp_add(state, type); 2753 break; 2754 2755 case PNG_FP_INTEGER + PNG_FP_SAW_DOT: 2756 /* Ok as trailer, ok as lead of fraction. */ 2757 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */ 2758 goto PNG_FP_End; 2759 2760 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */ 2761 png_fp_add(state, type); 2762 2763 else 2764 png_fp_set(state, PNG_FP_FRACTION | type); 2765 2766 break; 2767 2768 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT: 2769 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */ 2770 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT); 2771 2772 png_fp_add(state, type | PNG_FP_WAS_VALID); 2773 2774 break; 2775 2776 case PNG_FP_INTEGER + PNG_FP_SAW_E: 2777 if ((state & PNG_FP_SAW_DIGIT) == 0) 2778 goto PNG_FP_End; 2779 2780 png_fp_set(state, PNG_FP_EXPONENT); 2781 2782 break; 2783 2784 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN: 2785 goto PNG_FP_End; ** no sign in fraction */ 2786 2787 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT: 2788 goto PNG_FP_End; ** Because SAW_DOT is always set */ 2789 2790 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT: 2791 png_fp_add(state, type | PNG_FP_WAS_VALID); 2792 break; 2793 2794 case PNG_FP_FRACTION + PNG_FP_SAW_E: 2795 /* This is correct because the trailing '.' on an 2796 * integer is handled above - so we can only get here 2797 * with the sequence ".E" (with no preceding digits). 2798 */ 2799 if ((state & PNG_FP_SAW_DIGIT) == 0) 2800 goto PNG_FP_End; 2801 2802 png_fp_set(state, PNG_FP_EXPONENT); 2803 2804 break; 2805 2806 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN: 2807 if ((state & PNG_FP_SAW_ANY) != 0) 2808 goto PNG_FP_End; /* not a part of the number */ 2809 2810 png_fp_add(state, PNG_FP_SAW_SIGN); 2811 2812 break; 2813 2814 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT: 2815 goto PNG_FP_End; */ 2816 2817 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT: 2818 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID); 2819 2820 break; 2821 2822 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E: 2823 goto PNG_FP_End; */ 2824 2825 default: goto PNG_FP_End; /* I.e. break 2 */ 2826 } 2827 2828 /* The character seems ok, continue. */ 2829 ++i; 2830 } 2831 2832 PNG_FP_End: 2833 /* Here at the end, update the state and return the correct 2834 * return code. 2835 */ 2836 *statep = state; 2837 *whereami = i; 2838 2839 return (state & PNG_FP_SAW_DIGIT) != 0; 2840 } 2841 2842 2843 /* The same but for a complete string. */ 2844 int 2845 png_check_fp_string(png_const_charp string, png_size_t size) 2846 { 2847 int state=0; 2848 png_size_t char_index=0; 2849 2850 if (png_check_fp_number(string, size, &state, &char_index) != 0 && 2851 (char_index == size || string[char_index] == 0)) 2852 return state /* must be non-zero - see above */; 2853 2854 return 0; /* i.e. fail */ 2855 } 2856 #endif /* pCAL || sCAL */ 2857 2858 #ifdef PNG_sCAL_SUPPORTED 2859 # ifdef PNG_FLOATING_POINT_SUPPORTED 2860 /* Utility used below - a simple accurate power of ten from an integral 2861 * exponent. 2862 */ 2863 static double 2864 png_pow10(int power) 2865 { 2866 int recip = 0; 2867 double d = 1; 2868 2869 /* Handle negative exponent with a reciprocal at the end because 2870 * 10 is exact whereas .1 is inexact in base 2 2871 */ 2872 if (power < 0) 2873 { 2874 if (power < DBL_MIN_10_EXP) return 0; 2875 recip = 1; power = -power; 2876 } 2877 2878 if (power > 0) 2879 { 2880 /* Decompose power bitwise. */ 2881 double mult = 10; 2882 do 2883 { 2884 if (power & 1) d *= mult; 2885 mult *= mult; 2886 power >>= 1; 2887 } 2888 while (power > 0); 2889 2890 if (recip != 0) d = 1/d; 2891 } 2892 /* else power is 0 and d is 1 */ 2893 2894 return d; 2895 } 2896 2897 /* Function to format a floating point value in ASCII with a given 2898 * precision. 2899 */ 2900 #if GCC_STRICT_OVERFLOW 2901 #pragma GCC diagnostic push 2902 /* The problem arises below with exp_b10, which can never overflow because it 2903 * comes, originally, from frexp and is therefore limited to a range which is 2904 * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)). 2905 */ 2906 #pragma GCC diagnostic warning "-Wstrict-overflow=2" 2907 #endif /* GCC_STRICT_OVERFLOW */ 2908 void /* PRIVATE */ 2909 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size, 2910 double fp, unsigned int precision) 2911 { 2912 /* We use standard functions from math.h, but not printf because 2913 * that would require stdio. The caller must supply a buffer of 2914 * sufficient size or we will png_error. The tests on size and 2915 * the space in ascii[] consumed are indicated below. 2916 */ 2917 if (precision < 1) 2918 precision = DBL_DIG; 2919 2920 /* Enforce the limit of the implementation precision too. */ 2921 if (precision > DBL_DIG+1) 2922 precision = DBL_DIG+1; 2923 2924 /* Basic sanity checks */ 2925 if (size >= precision+5) /* See the requirements below. */ 2926 { 2927 if (fp < 0) 2928 { 2929 fp = -fp; 2930 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */ 2931 --size; 2932 } 2933 2934 if (fp >= DBL_MIN && fp <= DBL_MAX) 2935 { 2936 int exp_b10; /* A base 10 exponent */ 2937 double base; /* 10^exp_b10 */ 2938 2939 /* First extract a base 10 exponent of the number, 2940 * the calculation below rounds down when converting 2941 * from base 2 to base 10 (multiply by log10(2) - 2942 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to 2943 * be increased. Note that the arithmetic shift 2944 * performs a floor() unlike C arithmetic - using a 2945 * C multiply would break the following for negative 2946 * exponents. 2947 */ 2948 (void)frexp(fp, &exp_b10); /* exponent to base 2 */ 2949 2950 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */ 2951 2952 /* Avoid underflow here. */ 2953 base = png_pow10(exp_b10); /* May underflow */ 2954 2955 while (base < DBL_MIN || base < fp) 2956 { 2957 /* And this may overflow. */ 2958 double test = png_pow10(exp_b10+1); 2959 2960 if (test <= DBL_MAX) 2961 { 2962 ++exp_b10; base = test; 2963 } 2964 2965 else 2966 break; 2967 } 2968 2969 /* Normalize fp and correct exp_b10, after this fp is in the 2970 * range [.1,1) and exp_b10 is both the exponent and the digit 2971 * *before* which the decimal point should be inserted 2972 * (starting with 0 for the first digit). Note that this 2973 * works even if 10^exp_b10 is out of range because of the 2974 * test on DBL_MAX above. 2975 */ 2976 fp /= base; 2977 while (fp >= 1) 2978 { 2979 fp /= 10; ++exp_b10; 2980 } 2981 2982 /* Because of the code above fp may, at this point, be 2983 * less than .1, this is ok because the code below can 2984 * handle the leading zeros this generates, so no attempt 2985 * is made to correct that here. 2986 */ 2987 2988 { 2989 unsigned int czero, clead, cdigits; 2990 char exponent[10]; 2991 2992 /* Allow up to two leading zeros - this will not lengthen 2993 * the number compared to using E-n. 2994 */ 2995 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */ 2996 { 2997 czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */ 2998 exp_b10 = 0; /* Dot added below before first output. */ 2999 } 3000 else 3001 czero = 0; /* No zeros to add */ 3002 3003 /* Generate the digit list, stripping trailing zeros and 3004 * inserting a '.' before a digit if the exponent is 0. 3005 */ 3006 clead = czero; /* Count of leading zeros */ 3007 cdigits = 0; /* Count of digits in list. */ 3008 3009 do 3010 { 3011 double d; 3012 3013 fp *= 10; 3014 /* Use modf here, not floor and subtract, so that 3015 * the separation is done in one step. At the end 3016 * of the loop don't break the number into parts so 3017 * that the final digit is rounded. 3018 */ 3019 if (cdigits+czero+1 < precision+clead) 3020 fp = modf(fp, &d); 3021 3022 else 3023 { 3024 d = floor(fp + .5); 3025 3026 if (d > 9) 3027 { 3028 /* Rounding up to 10, handle that here. */ 3029 if (czero > 0) 3030 { 3031 --czero; d = 1; 3032 if (cdigits == 0) --clead; 3033 } 3034 else 3035 { 3036 while (cdigits > 0 && d > 9) 3037 { 3038 int ch = *--ascii; 3039 3040 if (exp_b10 != (-1)) 3041 ++exp_b10; 3042 3043 else if (ch == 46) 3044 { 3045 ch = *--ascii; ++size; 3046 /* Advance exp_b10 to '1', so that the 3047 * decimal point happens after the 3048 * previous digit. 3049 */ 3050 exp_b10 = 1; 3051 } 3052 3053 --cdigits; 3054 d = ch - 47; /* I.e. 1+(ch-48) */ 3055 } 3056 3057 /* Did we reach the beginning? If so adjust the 3058 * exponent but take into account the leading 3059 * decimal point. 3060 */ 3061 if (d > 9) /* cdigits == 0 */ 3062 { 3063 if (exp_b10 == (-1)) 3064 { 3065 /* Leading decimal point (plus zeros?), if 3066 * we lose the decimal point here it must 3067 * be reentered below. 3068 */ 3069 int ch = *--ascii; 3070 3071 if (ch == 46) 3072 { 3073 ++size; exp_b10 = 1; 3074 } 3075 3076 /* Else lost a leading zero, so 'exp_b10' is 3077 * still ok at (-1) 3078 */ 3079 } 3080 else 3081 ++exp_b10; 3082 3083 /* In all cases we output a '1' */ 3084 d = 1; 3085 } 3086 } 3087 } 3088 fp = 0; /* Guarantees termination below. */ 3089 } 3090 3091 if (d == 0) 3092 { 3093 ++czero; 3094 if (cdigits == 0) ++clead; 3095 } 3096 else 3097 { 3098 /* Included embedded zeros in the digit count. */ 3099 cdigits += czero - clead; 3100 clead = 0; 3101 3102 while (czero > 0) 3103 { 3104 /* exp_b10 == (-1) means we just output the decimal 3105 * place - after the DP don't adjust 'exp_b10' any 3106 * more! 3107 */ 3108 if (exp_b10 != (-1)) 3109 { 3110 if (exp_b10 == 0) 3111 { 3112 *ascii++ = 46; --size; 3113 } 3114 /* PLUS 1: TOTAL 4 */ 3115 --exp_b10; 3116 } 3117 *ascii++ = 48; --czero; 3118 } 3119 3120 if (exp_b10 != (-1)) 3121 { 3122 if (exp_b10 == 0) 3123 { 3124 *ascii++ = 46; --size; /* counted above */ 3125 } 3126 3127 --exp_b10; 3128 } 3129 *ascii++ = (char)(48 + (int)d); ++cdigits; 3130 } 3131 } 3132 while (cdigits+czero < precision+clead && fp > DBL_MIN); 3133 3134 /* The total output count (max) is now 4+precision */ 3135 3136 /* Check for an exponent, if we don't need one we are 3137 * done and just need to terminate the string. At 3138 * this point exp_b10==(-1) is effectively a flag - it got 3139 * to '-1' because of the decrement after outputting 3140 * the decimal point above (the exponent required is 3141 * *not* -1!) 3142 */ 3143 if (exp_b10 >= (-1) && exp_b10 <= 2) 3144 { 3145 /* The following only happens if we didn't output the 3146 * leading zeros above for negative exponent, so this 3147 * doesn't add to the digit requirement. Note that the 3148 * two zeros here can only be output if the two leading 3149 * zeros were *not* output, so this doesn't increase 3150 * the output count. 3151 */ 3152 while (exp_b10-- > 0) *ascii++ = 48; 3153 3154 *ascii = 0; 3155 3156 /* Total buffer requirement (including the '\0') is 3157 * 5+precision - see check at the start. 3158 */ 3159 return; 3160 } 3161 3162 /* Here if an exponent is required, adjust size for 3163 * the digits we output but did not count. The total 3164 * digit output here so far is at most 1+precision - no 3165 * decimal point and no leading or trailing zeros have 3166 * been output. 3167 */ 3168 size -= cdigits; 3169 3170 *ascii++ = 69; --size; /* 'E': PLUS 1 TOTAL 2+precision */ 3171 3172 /* The following use of an unsigned temporary avoids ambiguities in 3173 * the signed arithmetic on exp_b10 and permits GCC at least to do 3174 * better optimization. 3175 */ 3176 { 3177 unsigned int uexp_b10; 3178 3179 if (exp_b10 < 0) 3180 { 3181 *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */ 3182 uexp_b10 = 0U-exp_b10; 3183 } 3184 3185 else 3186 uexp_b10 = 0U+exp_b10; 3187 3188 cdigits = 0; 3189 3190 while (uexp_b10 > 0) 3191 { 3192 exponent[cdigits++] = (char)(48 + uexp_b10 % 10); 3193 uexp_b10 /= 10; 3194 } 3195 } 3196 3197 /* Need another size check here for the exponent digits, so 3198 * this need not be considered above. 3199 */ 3200 if (size > cdigits) 3201 { 3202 while (cdigits > 0) *ascii++ = exponent[--cdigits]; 3203 3204 *ascii = 0; 3205 3206 return; 3207 } 3208 } 3209 } 3210 else if (!(fp >= DBL_MIN)) 3211 { 3212 *ascii++ = 48; /* '0' */ 3213 *ascii = 0; 3214 return; 3215 } 3216 else 3217 { 3218 *ascii++ = 105; /* 'i' */ 3219 *ascii++ = 110; /* 'n' */ 3220 *ascii++ = 102; /* 'f' */ 3221 *ascii = 0; 3222 return; 3223 } 3224 } 3225 3226 /* Here on buffer too small. */ 3227 png_error(png_ptr, "ASCII conversion buffer too small"); 3228 } 3229 #if GCC_STRICT_OVERFLOW 3230 #pragma GCC diagnostic pop 3231 #endif /* GCC_STRICT_OVERFLOW */ 3232 3233 # endif /* FLOATING_POINT */ 3234 3235 # ifdef PNG_FIXED_POINT_SUPPORTED 3236 /* Function to format a fixed point value in ASCII. 3237 */ 3238 void /* PRIVATE */ 3239 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii, 3240 png_size_t size, png_fixed_point fp) 3241 { 3242 /* Require space for 10 decimal digits, a decimal point, a minus sign and a 3243 * trailing \0, 13 characters: 3244 */ 3245 if (size > 12) 3246 { 3247 png_uint_32 num; 3248 3249 /* Avoid overflow here on the minimum integer. */ 3250 if (fp < 0) 3251 { 3252 *ascii++ = 45; num = (png_uint_32)(-fp); 3253 } 3254 else 3255 num = (png_uint_32)fp; 3256 3257 if (num <= 0x80000000) /* else overflowed */ 3258 { 3259 unsigned int ndigits = 0, first = 16 /* flag value */; 3260 char digits[10]; 3261 3262 while (num) 3263 { 3264 /* Split the low digit off num: */ 3265 unsigned int tmp = num/10; 3266 num -= tmp*10; 3267 digits[ndigits++] = (char)(48 + num); 3268 /* Record the first non-zero digit, note that this is a number 3269 * starting at 1, it's not actually the array index. 3270 */ 3271 if (first == 16 && num > 0) 3272 first = ndigits; 3273 num = tmp; 3274 } 3275 3276 if (ndigits > 0) 3277 { 3278 while (ndigits > 5) *ascii++ = digits[--ndigits]; 3279 /* The remaining digits are fractional digits, ndigits is '5' or 3280 * smaller at this point. It is certainly not zero. Check for a 3281 * non-zero fractional digit: 3282 */ 3283 if (first <= 5) 3284 { 3285 unsigned int i; 3286 *ascii++ = 46; /* decimal point */ 3287 /* ndigits may be <5 for small numbers, output leading zeros 3288 * then ndigits digits to first: 3289 */ 3290 i = 5; 3291 while (ndigits < i) 3292 { 3293 *ascii++ = 48; --i; 3294 } 3295 while (ndigits >= first) *ascii++ = digits[--ndigits]; 3296 /* Don't output the trailing zeros! */ 3297 } 3298 } 3299 else 3300 *ascii++ = 48; 3301 3302 /* And null terminate the string: */ 3303 *ascii = 0; 3304 return; 3305 } 3306 } 3307 3308 /* Here on buffer too small. */ 3309 png_error(png_ptr, "ASCII conversion buffer too small"); 3310 } 3311 # endif /* FIXED_POINT */ 3312 #endif /* SCAL */ 3313 3314 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \ 3315 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \ 3316 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \ 3317 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 3318 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \ 3319 (defined(PNG_sCAL_SUPPORTED) && \ 3320 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED)) 3321 png_fixed_point 3322 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text) 3323 { 3324 double r = floor(100000 * fp + .5); 3325 3326 if (r > 2147483647. || r < -2147483648.) 3327 png_fixed_error(png_ptr, text); 3328 3329 # ifndef PNG_ERROR_TEXT_SUPPORTED 3330 PNG_UNUSED(text) 3331 # endif 3332 3333 return (png_fixed_point)r; 3334 } 3335 #endif 3336 3337 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\ 3338 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED) 3339 /* muldiv functions */ 3340 /* This API takes signed arguments and rounds the result to the nearest 3341 * integer (or, for a fixed point number - the standard argument - to 3342 * the nearest .00001). Overflow and divide by zero are signalled in 3343 * the result, a boolean - true on success, false on overflow. 3344 */ 3345 #if GCC_STRICT_OVERFLOW /* from above */ 3346 /* It is not obvious which comparison below gets optimized in such a way that 3347 * signed overflow would change the result; looking through the code does not 3348 * reveal any tests which have the form GCC complains about, so presumably the 3349 * optimizer is moving an add or subtract into the 'if' somewhere. 3350 */ 3351 #pragma GCC diagnostic push 3352 #pragma GCC diagnostic warning "-Wstrict-overflow=2" 3353 #endif /* GCC_STRICT_OVERFLOW */ 3354 int 3355 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times, 3356 png_int_32 divisor) 3357 { 3358 /* Return a * times / divisor, rounded. */ 3359 if (divisor != 0) 3360 { 3361 if (a == 0 || times == 0) 3362 { 3363 *res = 0; 3364 return 1; 3365 } 3366 else 3367 { 3368 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3369 double r = a; 3370 r *= times; 3371 r /= divisor; 3372 r = floor(r+.5); 3373 3374 /* A png_fixed_point is a 32-bit integer. */ 3375 if (r <= 2147483647. && r >= -2147483648.) 3376 { 3377 *res = (png_fixed_point)r; 3378 return 1; 3379 } 3380 #else 3381 int negative = 0; 3382 png_uint_32 A, T, D; 3383 png_uint_32 s16, s32, s00; 3384 3385 if (a < 0) 3386 negative = 1, A = -a; 3387 else 3388 A = a; 3389 3390 if (times < 0) 3391 negative = !negative, T = -times; 3392 else 3393 T = times; 3394 3395 if (divisor < 0) 3396 negative = !negative, D = -divisor; 3397 else 3398 D = divisor; 3399 3400 /* Following can't overflow because the arguments only 3401 * have 31 bits each, however the result may be 32 bits. 3402 */ 3403 s16 = (A >> 16) * (T & 0xffff) + 3404 (A & 0xffff) * (T >> 16); 3405 /* Can't overflow because the a*times bit is only 30 3406 * bits at most. 3407 */ 3408 s32 = (A >> 16) * (T >> 16) + (s16 >> 16); 3409 s00 = (A & 0xffff) * (T & 0xffff); 3410 3411 s16 = (s16 & 0xffff) << 16; 3412 s00 += s16; 3413 3414 if (s00 < s16) 3415 ++s32; /* carry */ 3416 3417 if (s32 < D) /* else overflow */ 3418 { 3419 /* s32.s00 is now the 64-bit product, do a standard 3420 * division, we know that s32 < D, so the maximum 3421 * required shift is 31. 3422 */ 3423 int bitshift = 32; 3424 png_fixed_point result = 0; /* NOTE: signed */ 3425 3426 while (--bitshift >= 0) 3427 { 3428 png_uint_32 d32, d00; 3429 3430 if (bitshift > 0) 3431 d32 = D >> (32-bitshift), d00 = D << bitshift; 3432 3433 else 3434 d32 = 0, d00 = D; 3435 3436 if (s32 > d32) 3437 { 3438 if (s00 < d00) --s32; /* carry */ 3439 s32 -= d32, s00 -= d00, result += 1<<bitshift; 3440 } 3441 3442 else 3443 if (s32 == d32 && s00 >= d00) 3444 s32 = 0, s00 -= d00, result += 1<<bitshift; 3445 } 3446 3447 /* Handle the rounding. */ 3448 if (s00 >= (D >> 1)) 3449 ++result; 3450 3451 if (negative != 0) 3452 result = -result; 3453 3454 /* Check for overflow. */ 3455 if ((negative != 0 && result <= 0) || 3456 (negative == 0 && result >= 0)) 3457 { 3458 *res = result; 3459 return 1; 3460 } 3461 } 3462 #endif 3463 } 3464 } 3465 3466 return 0; 3467 } 3468 #if GCC_STRICT_OVERFLOW 3469 #pragma GCC diagnostic pop 3470 #endif /* GCC_STRICT_OVERFLOW */ 3471 #endif /* READ_GAMMA || INCH_CONVERSIONS */ 3472 3473 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED) 3474 /* The following is for when the caller doesn't much care about the 3475 * result. 3476 */ 3477 png_fixed_point 3478 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times, 3479 png_int_32 divisor) 3480 { 3481 png_fixed_point result; 3482 3483 if (png_muldiv(&result, a, times, divisor) != 0) 3484 return result; 3485 3486 png_warning(png_ptr, "fixed point overflow ignored"); 3487 return 0; 3488 } 3489 #endif 3490 3491 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */ 3492 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */ 3493 png_fixed_point 3494 png_reciprocal(png_fixed_point a) 3495 { 3496 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3497 double r = floor(1E10/a+.5); 3498 3499 if (r <= 2147483647. && r >= -2147483648.) 3500 return (png_fixed_point)r; 3501 #else 3502 png_fixed_point res; 3503 3504 if (png_muldiv(&res, 100000, 100000, a) != 0) 3505 return res; 3506 #endif 3507 3508 return 0; /* error/overflow */ 3509 } 3510 3511 /* This is the shared test on whether a gamma value is 'significant' - whether 3512 * it is worth doing gamma correction. 3513 */ 3514 int /* PRIVATE */ 3515 png_gamma_significant(png_fixed_point gamma_val) 3516 { 3517 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED || 3518 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED; 3519 } 3520 #endif 3521 3522 #ifdef PNG_READ_GAMMA_SUPPORTED 3523 #ifdef PNG_16BIT_SUPPORTED 3524 /* A local convenience routine. */ 3525 static png_fixed_point 3526 png_product2(png_fixed_point a, png_fixed_point b) 3527 { 3528 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3529 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3530 double r = a * 1E-5; 3531 r *= b; 3532 r = floor(r+.5); 3533 3534 if (r <= 2147483647. && r >= -2147483648.) 3535 return (png_fixed_point)r; 3536 #else 3537 png_fixed_point res; 3538 3539 if (png_muldiv(&res, a, b, 100000) != 0) 3540 return res; 3541 #endif 3542 3543 return 0; /* overflow */ 3544 } 3545 #endif /* 16BIT */ 3546 3547 /* The inverse of the above. */ 3548 png_fixed_point 3549 png_reciprocal2(png_fixed_point a, png_fixed_point b) 3550 { 3551 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3552 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3553 if (a != 0 && b != 0) 3554 { 3555 double r = 1E15/a; 3556 r /= b; 3557 r = floor(r+.5); 3558 3559 if (r <= 2147483647. && r >= -2147483648.) 3560 return (png_fixed_point)r; 3561 } 3562 #else 3563 /* This may overflow because the range of png_fixed_point isn't symmetric, 3564 * but this API is only used for the product of file and screen gamma so it 3565 * doesn't matter that the smallest number it can produce is 1/21474, not 3566 * 1/100000 3567 */ 3568 png_fixed_point res = png_product2(a, b); 3569 3570 if (res != 0) 3571 return png_reciprocal(res); 3572 #endif 3573 3574 return 0; /* overflow */ 3575 } 3576 #endif /* READ_GAMMA */ 3577 3578 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */ 3579 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED 3580 /* Fixed point gamma. 3581 * 3582 * The code to calculate the tables used below can be found in the shell script 3583 * contrib/tools/intgamma.sh 3584 * 3585 * To calculate gamma this code implements fast log() and exp() calls using only 3586 * fixed point arithmetic. This code has sufficient precision for either 8-bit 3587 * or 16-bit sample values. 3588 * 3589 * The tables used here were calculated using simple 'bc' programs, but C double 3590 * precision floating point arithmetic would work fine. 3591 * 3592 * 8-bit log table 3593 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to 3594 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point 3595 * mantissa. The numbers are 32-bit fractions. 3596 */ 3597 static const png_uint_32 3598 png_8bit_l2[128] = 3599 { 3600 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U, 3601 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U, 3602 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U, 3603 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U, 3604 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U, 3605 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U, 3606 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U, 3607 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U, 3608 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U, 3609 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U, 3610 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U, 3611 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U, 3612 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U, 3613 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U, 3614 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U, 3615 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U, 3616 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U, 3617 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U, 3618 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U, 3619 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U, 3620 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U, 3621 24347096U, 0U 3622 3623 #if 0 3624 /* The following are the values for 16-bit tables - these work fine for the 3625 * 8-bit conversions but produce very slightly larger errors in the 16-bit 3626 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To 3627 * use these all the shifts below must be adjusted appropriately. 3628 */ 3629 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054, 3630 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803, 3631 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068, 3632 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782, 3633 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887, 3634 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339, 3635 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098, 3636 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132, 3637 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415, 3638 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523, 3639 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495, 3640 1119, 744, 372 3641 #endif 3642 }; 3643 3644 static png_int_32 3645 png_log8bit(unsigned int x) 3646 { 3647 unsigned int lg2 = 0; 3648 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log, 3649 * because the log is actually negate that means adding 1. The final 3650 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1 3651 * input), return -1 for the overflow (log 0) case, - so the result is 3652 * always at most 19 bits. 3653 */ 3654 if ((x &= 0xff) == 0) 3655 return -1; 3656 3657 if ((x & 0xf0) == 0) 3658 lg2 = 4, x <<= 4; 3659 3660 if ((x & 0xc0) == 0) 3661 lg2 += 2, x <<= 2; 3662 3663 if ((x & 0x80) == 0) 3664 lg2 += 1, x <<= 1; 3665 3666 /* result is at most 19 bits, so this cast is safe: */ 3667 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16)); 3668 } 3669 3670 /* The above gives exact (to 16 binary places) log2 values for 8-bit images, 3671 * for 16-bit images we use the most significant 8 bits of the 16-bit value to 3672 * get an approximation then multiply the approximation by a correction factor 3673 * determined by the remaining up to 8 bits. This requires an additional step 3674 * in the 16-bit case. 3675 * 3676 * We want log2(value/65535), we have log2(v'/255), where: 3677 * 3678 * value = v' * 256 + v'' 3679 * = v' * f 3680 * 3681 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128 3682 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less 3683 * than 258. The final factor also needs to correct for the fact that our 8-bit 3684 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535. 3685 * 3686 * This gives a final formula using a calculated value 'x' which is value/v' and 3687 * scaling by 65536 to match the above table: 3688 * 3689 * log2(x/257) * 65536 3690 * 3691 * Since these numbers are so close to '1' we can use simple linear 3692 * interpolation between the two end values 256/257 (result -368.61) and 258/257 3693 * (result 367.179). The values used below are scaled by a further 64 to give 3694 * 16-bit precision in the interpolation: 3695 * 3696 * Start (256): -23591 3697 * Zero (257): 0 3698 * End (258): 23499 3699 */ 3700 #ifdef PNG_16BIT_SUPPORTED 3701 static png_int_32 3702 png_log16bit(png_uint_32 x) 3703 { 3704 unsigned int lg2 = 0; 3705 3706 /* As above, but now the input has 16 bits. */ 3707 if ((x &= 0xffff) == 0) 3708 return -1; 3709 3710 if ((x & 0xff00) == 0) 3711 lg2 = 8, x <<= 8; 3712 3713 if ((x & 0xf000) == 0) 3714 lg2 += 4, x <<= 4; 3715 3716 if ((x & 0xc000) == 0) 3717 lg2 += 2, x <<= 2; 3718 3719 if ((x & 0x8000) == 0) 3720 lg2 += 1, x <<= 1; 3721 3722 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional 3723 * value. 3724 */ 3725 lg2 <<= 28; 3726 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4; 3727 3728 /* Now we need to interpolate the factor, this requires a division by the top 3729 * 8 bits. Do this with maximum precision. 3730 */ 3731 x = ((x << 16) + (x >> 9)) / (x >> 8); 3732 3733 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24, 3734 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly 3735 * 16 bits to interpolate to get the low bits of the result. Round the 3736 * answer. Note that the end point values are scaled by 64 to retain overall 3737 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust 3738 * the overall scaling by 6-12. Round at every step. 3739 */ 3740 x -= 1U << 24; 3741 3742 if (x <= 65536U) /* <= '257' */ 3743 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12); 3744 3745 else 3746 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12); 3747 3748 /* Safe, because the result can't have more than 20 bits: */ 3749 return (png_int_32)((lg2 + 2048) >> 12); 3750 } 3751 #endif /* 16BIT */ 3752 3753 /* The 'exp()' case must invert the above, taking a 20-bit fixed point 3754 * logarithmic value and returning a 16 or 8-bit number as appropriate. In 3755 * each case only the low 16 bits are relevant - the fraction - since the 3756 * integer bits (the top 4) simply determine a shift. 3757 * 3758 * The worst case is the 16-bit distinction between 65535 and 65534. This 3759 * requires perhaps spurious accuracy in the decoding of the logarithm to 3760 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance 3761 * of getting this accuracy in practice. 3762 * 3763 * To deal with this the following exp() function works out the exponent of the 3764 * fractional part of the logarithm by using an accurate 32-bit value from the 3765 * top four fractional bits then multiplying in the remaining bits. 3766 */ 3767 static const png_uint_32 3768 png_32bit_exp[16] = 3769 { 3770 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */ 3771 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U, 3772 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U, 3773 2553802834U, 2445529972U, 2341847524U, 2242560872U 3774 }; 3775 3776 /* Adjustment table; provided to explain the numbers in the code below. */ 3777 #if 0 3778 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"} 3779 11 44937.64284865548751208448 3780 10 45180.98734845585101160448 3781 9 45303.31936980687359311872 3782 8 45364.65110595323018870784 3783 7 45395.35850361789624614912 3784 6 45410.72259715102037508096 3785 5 45418.40724413220722311168 3786 4 45422.25021786898173001728 3787 3 45424.17186732298419044352 3788 2 45425.13273269940811464704 3789 1 45425.61317555035558641664 3790 0 45425.85339951654943850496 3791 #endif 3792 3793 static png_uint_32 3794 png_exp(png_fixed_point x) 3795 { 3796 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */ 3797 { 3798 /* Obtain a 4-bit approximation */ 3799 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f]; 3800 3801 /* Incorporate the low 12 bits - these decrease the returned value by 3802 * multiplying by a number less than 1 if the bit is set. The multiplier 3803 * is determined by the above table and the shift. Notice that the values 3804 * converge on 45426 and this is used to allow linear interpolation of the 3805 * low bits. 3806 */ 3807 if (x & 0x800) 3808 e -= (((e >> 16) * 44938U) + 16U) >> 5; 3809 3810 if (x & 0x400) 3811 e -= (((e >> 16) * 45181U) + 32U) >> 6; 3812 3813 if (x & 0x200) 3814 e -= (((e >> 16) * 45303U) + 64U) >> 7; 3815 3816 if (x & 0x100) 3817 e -= (((e >> 16) * 45365U) + 128U) >> 8; 3818 3819 if (x & 0x080) 3820 e -= (((e >> 16) * 45395U) + 256U) >> 9; 3821 3822 if (x & 0x040) 3823 e -= (((e >> 16) * 45410U) + 512U) >> 10; 3824 3825 /* And handle the low 6 bits in a single block. */ 3826 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9; 3827 3828 /* Handle the upper bits of x. */ 3829 e >>= x >> 16; 3830 return e; 3831 } 3832 3833 /* Check for overflow */ 3834 if (x <= 0) 3835 return png_32bit_exp[0]; 3836 3837 /* Else underflow */ 3838 return 0; 3839 } 3840 3841 static png_byte 3842 png_exp8bit(png_fixed_point lg2) 3843 { 3844 /* Get a 32-bit value: */ 3845 png_uint_32 x = png_exp(lg2); 3846 3847 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the 3848 * second, rounding, step can't overflow because of the first, subtraction, 3849 * step. 3850 */ 3851 x -= x >> 8; 3852 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff); 3853 } 3854 3855 #ifdef PNG_16BIT_SUPPORTED 3856 static png_uint_16 3857 png_exp16bit(png_fixed_point lg2) 3858 { 3859 /* Get a 32-bit value: */ 3860 png_uint_32 x = png_exp(lg2); 3861 3862 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */ 3863 x -= x >> 16; 3864 return (png_uint_16)((x + 32767U) >> 16); 3865 } 3866 #endif /* 16BIT */ 3867 #endif /* FLOATING_ARITHMETIC */ 3868 3869 png_byte 3870 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val) 3871 { 3872 if (value > 0 && value < 255) 3873 { 3874 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3875 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly 3876 * convert this to a floating point value. This includes values that 3877 * would overflow if 'value' were to be converted to 'int'. 3878 * 3879 * Apparently GCC, however, does an intermediate conversion to (int) 3880 * on some (ARM) but not all (x86) platforms, possibly because of 3881 * hardware FP limitations. (E.g. if the hardware conversion always 3882 * assumes the integer register contains a signed value.) This results 3883 * in ANSI-C undefined behavior for large values. 3884 * 3885 * Other implementations on the same machine might actually be ANSI-C90 3886 * conformant and therefore compile spurious extra code for the large 3887 * values. 3888 * 3889 * We can be reasonably sure that an unsigned to float conversion 3890 * won't be faster than an int to float one. Therefore this code 3891 * assumes responsibility for the undefined behavior, which it knows 3892 * can't happen because of the check above. 3893 * 3894 * Note the argument to this routine is an (unsigned int) because, on 3895 * 16-bit platforms, it is assigned a value which might be out of 3896 * range for an (int); that would result in undefined behavior in the 3897 * caller if the *argument* ('value') were to be declared (int). 3898 */ 3899 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5); 3900 return (png_byte)r; 3901 # else 3902 png_int_32 lg2 = png_log8bit(value); 3903 png_fixed_point res; 3904 3905 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3906 return png_exp8bit(res); 3907 3908 /* Overflow. */ 3909 value = 0; 3910 # endif 3911 } 3912 3913 return (png_byte)(value & 0xff); 3914 } 3915 3916 #ifdef PNG_16BIT_SUPPORTED 3917 png_uint_16 3918 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val) 3919 { 3920 if (value > 0 && value < 65535) 3921 { 3922 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3923 /* The same (unsigned int)->(double) constraints apply here as above, 3924 * however in this case the (unsigned int) to (int) conversion can 3925 * overflow on an ANSI-C90 compliant system so the cast needs to ensure 3926 * that this is not possible. 3927 */ 3928 double r = floor(65535*pow((png_int_32)value/65535., 3929 gamma_val*.00001)+.5); 3930 return (png_uint_16)r; 3931 # else 3932 png_int_32 lg2 = png_log16bit(value); 3933 png_fixed_point res; 3934 3935 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3936 return png_exp16bit(res); 3937 3938 /* Overflow. */ 3939 value = 0; 3940 # endif 3941 } 3942 3943 return (png_uint_16)value; 3944 } 3945 #endif /* 16BIT */ 3946 3947 /* This does the right thing based on the bit_depth field of the 3948 * png_struct, interpreting values as 8-bit or 16-bit. While the result 3949 * is nominally a 16-bit value if bit depth is 8 then the result is 3950 * 8-bit (as are the arguments.) 3951 */ 3952 png_uint_16 /* PRIVATE */ 3953 png_gamma_correct(png_structrp png_ptr, unsigned int value, 3954 png_fixed_point gamma_val) 3955 { 3956 if (png_ptr->bit_depth == 8) 3957 return png_gamma_8bit_correct(value, gamma_val); 3958 3959 #ifdef PNG_16BIT_SUPPORTED 3960 else 3961 return png_gamma_16bit_correct(value, gamma_val); 3962 #else 3963 /* should not reach this */ 3964 return 0; 3965 #endif /* 16BIT */ 3966 } 3967 3968 #ifdef PNG_16BIT_SUPPORTED 3969 /* Internal function to build a single 16-bit table - the table consists of 3970 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount 3971 * to shift the input values right (or 16-number_of_signifiant_bits). 3972 * 3973 * The caller is responsible for ensuring that the table gets cleaned up on 3974 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument 3975 * should be somewhere that will be cleaned. 3976 */ 3977 static void 3978 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable, 3979 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val) 3980 { 3981 /* Various values derived from 'shift': */ 3982 PNG_CONST unsigned int num = 1U << (8U - shift); 3983 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3984 /* CSE the division and work round wacky GCC warnings (see the comments 3985 * in png_gamma_8bit_correct for where these come from.) 3986 */ 3987 PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1); 3988 #endif 3989 PNG_CONST unsigned int max = (1U << (16U - shift))-1U; 3990 PNG_CONST unsigned int max_by_2 = 1U << (15U-shift); 3991 unsigned int i; 3992 3993 png_uint_16pp table = *ptable = 3994 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 3995 3996 for (i = 0; i < num; i++) 3997 { 3998 png_uint_16p sub_table = table[i] = 3999 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16))); 4000 4001 /* The 'threshold' test is repeated here because it can arise for one of 4002 * the 16-bit tables even if the others don't hit it. 4003 */ 4004 if (png_gamma_significant(gamma_val) != 0) 4005 { 4006 /* The old code would overflow at the end and this would cause the 4007 * 'pow' function to return a result >1, resulting in an 4008 * arithmetic error. This code follows the spec exactly; ig is 4009 * the recovered input sample, it always has 8-16 bits. 4010 * 4011 * We want input * 65535/max, rounded, the arithmetic fits in 32 4012 * bits (unsigned) so long as max <= 32767. 4013 */ 4014 unsigned int j; 4015 for (j = 0; j < 256; j++) 4016 { 4017 png_uint_32 ig = (j << (8-shift)) + i; 4018 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 4019 /* Inline the 'max' scaling operation: */ 4020 /* See png_gamma_8bit_correct for why the cast to (int) is 4021 * required here. 4022 */ 4023 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5); 4024 sub_table[j] = (png_uint_16)d; 4025 # else 4026 if (shift != 0) 4027 ig = (ig * 65535U + max_by_2)/max; 4028 4029 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val); 4030 # endif 4031 } 4032 } 4033 else 4034 { 4035 /* We must still build a table, but do it the fast way. */ 4036 unsigned int j; 4037 4038 for (j = 0; j < 256; j++) 4039 { 4040 png_uint_32 ig = (j << (8-shift)) + i; 4041 4042 if (shift != 0) 4043 ig = (ig * 65535U + max_by_2)/max; 4044 4045 sub_table[j] = (png_uint_16)ig; 4046 } 4047 } 4048 } 4049 } 4050 4051 /* NOTE: this function expects the *inverse* of the overall gamma transformation 4052 * required. 4053 */ 4054 static void 4055 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable, 4056 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val) 4057 { 4058 PNG_CONST unsigned int num = 1U << (8U - shift); 4059 PNG_CONST unsigned int max = (1U << (16U - shift))-1U; 4060 unsigned int i; 4061 png_uint_32 last; 4062 4063 png_uint_16pp table = *ptable = 4064 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 4065 4066 /* 'num' is the number of tables and also the number of low bits of low 4067 * bits of the input 16-bit value used to select a table. Each table is 4068 * itself indexed by the high 8 bits of the value. 4069 */ 4070 for (i = 0; i < num; i++) 4071 table[i] = (png_uint_16p)png_malloc(png_ptr, 4072 256 * (sizeof (png_uint_16))); 4073 4074 /* 'gamma_val' is set to the reciprocal of the value calculated above, so 4075 * pow(out,g) is an *input* value. 'last' is the last input value set. 4076 * 4077 * In the loop 'i' is used to find output values. Since the output is 4078 * 8-bit there are only 256 possible values. The tables are set up to 4079 * select the closest possible output value for each input by finding 4080 * the input value at the boundary between each pair of output values 4081 * and filling the table up to that boundary with the lower output 4082 * value. 4083 * 4084 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit 4085 * values the code below uses a 16-bit value in i; the values start at 4086 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last 4087 * entries are filled with 255). Start i at 128 and fill all 'last' 4088 * table entries <= 'max' 4089 */ 4090 last = 0; 4091 for (i = 0; i < 255; ++i) /* 8-bit output value */ 4092 { 4093 /* Find the corresponding maximum input value */ 4094 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */ 4095 4096 /* Find the boundary value in 16 bits: */ 4097 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val); 4098 4099 /* Adjust (round) to (16-shift) bits: */ 4100 bound = (bound * max + 32768U)/65535U + 1U; 4101 4102 while (last < bound) 4103 { 4104 table[last & (0xffU >> shift)][last >> (8U - shift)] = out; 4105 last++; 4106 } 4107 } 4108 4109 /* And fill in the final entries. */ 4110 while (last < (num << 8)) 4111 { 4112 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U; 4113 last++; 4114 } 4115 } 4116 #endif /* 16BIT */ 4117 4118 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and 4119 * typically much faster). Note that libpng currently does no sBIT processing 4120 * (apparently contrary to the spec) so a 256-entry table is always generated. 4121 */ 4122 static void 4123 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable, 4124 PNG_CONST png_fixed_point gamma_val) 4125 { 4126 unsigned int i; 4127 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256); 4128 4129 if (png_gamma_significant(gamma_val) != 0) 4130 for (i=0; i<256; i++) 4131 table[i] = png_gamma_8bit_correct(i, gamma_val); 4132 4133 else 4134 for (i=0; i<256; ++i) 4135 table[i] = (png_byte)(i & 0xff); 4136 } 4137 4138 /* Used from png_read_destroy and below to release the memory used by the gamma 4139 * tables. 4140 */ 4141 void /* PRIVATE */ 4142 png_destroy_gamma_table(png_structrp png_ptr) 4143 { 4144 png_free(png_ptr, png_ptr->gamma_table); 4145 png_ptr->gamma_table = NULL; 4146 4147 #ifdef PNG_16BIT_SUPPORTED 4148 if (png_ptr->gamma_16_table != NULL) 4149 { 4150 int i; 4151 int istop = (1 << (8 - png_ptr->gamma_shift)); 4152 for (i = 0; i < istop; i++) 4153 { 4154 png_free(png_ptr, png_ptr->gamma_16_table[i]); 4155 } 4156 png_free(png_ptr, png_ptr->gamma_16_table); 4157 png_ptr->gamma_16_table = NULL; 4158 } 4159 #endif /* 16BIT */ 4160 4161 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4162 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4163 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4164 png_free(png_ptr, png_ptr->gamma_from_1); 4165 png_ptr->gamma_from_1 = NULL; 4166 png_free(png_ptr, png_ptr->gamma_to_1); 4167 png_ptr->gamma_to_1 = NULL; 4168 4169 #ifdef PNG_16BIT_SUPPORTED 4170 if (png_ptr->gamma_16_from_1 != NULL) 4171 { 4172 int i; 4173 int istop = (1 << (8 - png_ptr->gamma_shift)); 4174 for (i = 0; i < istop; i++) 4175 { 4176 png_free(png_ptr, png_ptr->gamma_16_from_1[i]); 4177 } 4178 png_free(png_ptr, png_ptr->gamma_16_from_1); 4179 png_ptr->gamma_16_from_1 = NULL; 4180 } 4181 if (png_ptr->gamma_16_to_1 != NULL) 4182 { 4183 int i; 4184 int istop = (1 << (8 - png_ptr->gamma_shift)); 4185 for (i = 0; i < istop; i++) 4186 { 4187 png_free(png_ptr, png_ptr->gamma_16_to_1[i]); 4188 } 4189 png_free(png_ptr, png_ptr->gamma_16_to_1); 4190 png_ptr->gamma_16_to_1 = NULL; 4191 } 4192 #endif /* 16BIT */ 4193 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4194 } 4195 4196 /* We build the 8- or 16-bit gamma tables here. Note that for 16-bit 4197 * tables, we don't make a full table if we are reducing to 8-bit in 4198 * the future. Note also how the gamma_16 tables are segmented so that 4199 * we don't need to allocate > 64K chunks for a full 16-bit table. 4200 */ 4201 void /* PRIVATE */ 4202 png_build_gamma_table(png_structrp png_ptr, int bit_depth) 4203 { 4204 png_debug(1, "in png_build_gamma_table"); 4205 4206 /* Remove any existing table; this copes with multiple calls to 4207 * png_read_update_info. The warning is because building the gamma tables 4208 * multiple times is a performance hit - it's harmless but the ability to 4209 * call png_read_update_info() multiple times is new in 1.5.6 so it seems 4210 * sensible to warn if the app introduces such a hit. 4211 */ 4212 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL) 4213 { 4214 png_warning(png_ptr, "gamma table being rebuilt"); 4215 png_destroy_gamma_table(png_ptr); 4216 } 4217 4218 if (bit_depth <= 8) 4219 { 4220 png_build_8bit_table(png_ptr, &png_ptr->gamma_table, 4221 png_ptr->screen_gamma > 0 ? 4222 png_reciprocal2(png_ptr->colorspace.gamma, 4223 png_ptr->screen_gamma) : PNG_FP_1); 4224 4225 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4226 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4227 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4228 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4229 { 4230 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1, 4231 png_reciprocal(png_ptr->colorspace.gamma)); 4232 4233 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1, 4234 png_ptr->screen_gamma > 0 ? 4235 png_reciprocal(png_ptr->screen_gamma) : 4236 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4237 } 4238 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4239 } 4240 #ifdef PNG_16BIT_SUPPORTED 4241 else 4242 { 4243 png_byte shift, sig_bit; 4244 4245 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0) 4246 { 4247 sig_bit = png_ptr->sig_bit.red; 4248 4249 if (png_ptr->sig_bit.green > sig_bit) 4250 sig_bit = png_ptr->sig_bit.green; 4251 4252 if (png_ptr->sig_bit.blue > sig_bit) 4253 sig_bit = png_ptr->sig_bit.blue; 4254 } 4255 else 4256 sig_bit = png_ptr->sig_bit.gray; 4257 4258 /* 16-bit gamma code uses this equation: 4259 * 4260 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8] 4261 * 4262 * Where 'iv' is the input color value and 'ov' is the output value - 4263 * pow(iv, gamma). 4264 * 4265 * Thus the gamma table consists of up to 256 256-entry tables. The table 4266 * is selected by the (8-gamma_shift) most significant of the low 8 bits 4267 * of the color value then indexed by the upper 8 bits: 4268 * 4269 * table[low bits][high 8 bits] 4270 * 4271 * So the table 'n' corresponds to all those 'iv' of: 4272 * 4273 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1> 4274 * 4275 */ 4276 if (sig_bit > 0 && sig_bit < 16U) 4277 /* shift == insignificant bits */ 4278 shift = (png_byte)((16U - sig_bit) & 0xff); 4279 4280 else 4281 shift = 0; /* keep all 16 bits */ 4282 4283 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4284 { 4285 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively 4286 * the significant bits in the *input* when the output will 4287 * eventually be 8 bits. By default it is 11. 4288 */ 4289 if (shift < (16U - PNG_MAX_GAMMA_8)) 4290 shift = (16U - PNG_MAX_GAMMA_8); 4291 } 4292 4293 if (shift > 8U) 4294 shift = 8U; /* Guarantees at least one table! */ 4295 4296 png_ptr->gamma_shift = shift; 4297 4298 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now 4299 * PNG_COMPOSE). This effectively smashed the background calculation for 4300 * 16-bit output because the 8-bit table assumes the result will be 4301 * reduced to 8 bits. 4302 */ 4303 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4304 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift, 4305 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma, 4306 png_ptr->screen_gamma) : PNG_FP_1); 4307 4308 else 4309 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift, 4310 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma, 4311 png_ptr->screen_gamma) : PNG_FP_1); 4312 4313 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4314 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4315 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4316 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4317 { 4318 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift, 4319 png_reciprocal(png_ptr->colorspace.gamma)); 4320 4321 /* Notice that the '16 from 1' table should be full precision, however 4322 * the lookup on this table still uses gamma_shift, so it can't be. 4323 * TODO: fix this. 4324 */ 4325 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift, 4326 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) : 4327 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4328 } 4329 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4330 } 4331 #endif /* 16BIT */ 4332 } 4333 #endif /* READ_GAMMA */ 4334 4335 /* HARDWARE OR SOFTWARE OPTION SUPPORT */ 4336 #ifdef PNG_SET_OPTION_SUPPORTED 4337 int PNGAPI 4338 png_set_option(png_structrp png_ptr, int option, int onoff) 4339 { 4340 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT && 4341 (option & 1) == 0) 4342 { 4343 png_uint_32 mask = 3U << option; 4344 png_uint_32 setting = (2U + (onoff != 0)) << option; 4345 png_uint_32 current = png_ptr->options; 4346 4347 png_ptr->options = (png_uint_32)(((current & ~mask) | setting) & 0xff); 4348 4349 return (int)(current & mask) >> option; 4350 } 4351 4352 return PNG_OPTION_INVALID; 4353 } 4354 #endif 4355 4356 /* sRGB support */ 4357 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4358 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4359 /* sRGB conversion tables; these are machine generated with the code in 4360 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the 4361 * specification (see the article at https://en.wikipedia.org/wiki/SRGB) 4362 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng. 4363 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction). 4364 * The inverse (linear to sRGB) table has accuracies as follows: 4365 * 4366 * For all possible (255*65535+1) input values: 4367 * 4368 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact 4369 * 4370 * For the input values corresponding to the 65536 16-bit values: 4371 * 4372 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact 4373 * 4374 * In all cases the inexact readings are only off by one. 4375 */ 4376 4377 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4378 /* The convert-to-sRGB table is only currently required for read. */ 4379 const png_uint_16 png_sRGB_table[256] = 4380 { 4381 0,20,40,60,80,99,119,139, 4382 159,179,199,219,241,264,288,313, 4383 340,367,396,427,458,491,526,562, 4384 599,637,677,718,761,805,851,898, 4385 947,997,1048,1101,1156,1212,1270,1330, 4386 1391,1453,1517,1583,1651,1720,1790,1863, 4387 1937,2013,2090,2170,2250,2333,2418,2504, 4388 2592,2681,2773,2866,2961,3058,3157,3258, 4389 3360,3464,3570,3678,3788,3900,4014,4129, 4390 4247,4366,4488,4611,4736,4864,4993,5124, 4391 5257,5392,5530,5669,5810,5953,6099,6246, 4392 6395,6547,6700,6856,7014,7174,7335,7500, 4393 7666,7834,8004,8177,8352,8528,8708,8889, 4394 9072,9258,9445,9635,9828,10022,10219,10417, 4395 10619,10822,11028,11235,11446,11658,11873,12090, 4396 12309,12530,12754,12980,13209,13440,13673,13909, 4397 14146,14387,14629,14874,15122,15371,15623,15878, 4398 16135,16394,16656,16920,17187,17456,17727,18001, 4399 18277,18556,18837,19121,19407,19696,19987,20281, 4400 20577,20876,21177,21481,21787,22096,22407,22721, 4401 23038,23357,23678,24002,24329,24658,24990,25325, 4402 25662,26001,26344,26688,27036,27386,27739,28094, 4403 28452,28813,29176,29542,29911,30282,30656,31033, 4404 31412,31794,32179,32567,32957,33350,33745,34143, 4405 34544,34948,35355,35764,36176,36591,37008,37429, 4406 37852,38278,38706,39138,39572,40009,40449,40891, 4407 41337,41785,42236,42690,43147,43606,44069,44534, 4408 45002,45473,45947,46423,46903,47385,47871,48359, 4409 48850,49344,49841,50341,50844,51349,51858,52369, 4410 52884,53401,53921,54445,54971,55500,56032,56567, 4411 57105,57646,58190,58737,59287,59840,60396,60955, 4412 61517,62082,62650,63221,63795,64372,64952,65535 4413 }; 4414 #endif /* SIMPLIFIED_READ */ 4415 4416 /* The base/delta tables are required for both read and write (but currently 4417 * only the simplified versions.) 4418 */ 4419 const png_uint_16 png_sRGB_base[512] = 4420 { 4421 128,1782,3383,4644,5675,6564,7357,8074, 4422 8732,9346,9921,10463,10977,11466,11935,12384, 4423 12816,13233,13634,14024,14402,14769,15125,15473, 4424 15812,16142,16466,16781,17090,17393,17690,17981, 4425 18266,18546,18822,19093,19359,19621,19879,20133, 4426 20383,20630,20873,21113,21349,21583,21813,22041, 4427 22265,22487,22707,22923,23138,23350,23559,23767, 4428 23972,24175,24376,24575,24772,24967,25160,25352, 4429 25542,25730,25916,26101,26284,26465,26645,26823, 4430 27000,27176,27350,27523,27695,27865,28034,28201, 4431 28368,28533,28697,28860,29021,29182,29341,29500, 4432 29657,29813,29969,30123,30276,30429,30580,30730, 4433 30880,31028,31176,31323,31469,31614,31758,31902, 4434 32045,32186,32327,32468,32607,32746,32884,33021, 4435 33158,33294,33429,33564,33697,33831,33963,34095, 4436 34226,34357,34486,34616,34744,34873,35000,35127, 4437 35253,35379,35504,35629,35753,35876,35999,36122, 4438 36244,36365,36486,36606,36726,36845,36964,37083, 4439 37201,37318,37435,37551,37668,37783,37898,38013, 4440 38127,38241,38354,38467,38580,38692,38803,38915, 4441 39026,39136,39246,39356,39465,39574,39682,39790, 4442 39898,40005,40112,40219,40325,40431,40537,40642, 4443 40747,40851,40955,41059,41163,41266,41369,41471, 4444 41573,41675,41777,41878,41979,42079,42179,42279, 4445 42379,42478,42577,42676,42775,42873,42971,43068, 4446 43165,43262,43359,43456,43552,43648,43743,43839, 4447 43934,44028,44123,44217,44311,44405,44499,44592, 4448 44685,44778,44870,44962,45054,45146,45238,45329, 4449 45420,45511,45601,45692,45782,45872,45961,46051, 4450 46140,46229,46318,46406,46494,46583,46670,46758, 4451 46846,46933,47020,47107,47193,47280,47366,47452, 4452 47538,47623,47709,47794,47879,47964,48048,48133, 4453 48217,48301,48385,48468,48552,48635,48718,48801, 4454 48884,48966,49048,49131,49213,49294,49376,49458, 4455 49539,49620,49701,49782,49862,49943,50023,50103, 4456 50183,50263,50342,50422,50501,50580,50659,50738, 4457 50816,50895,50973,51051,51129,51207,51285,51362, 4458 51439,51517,51594,51671,51747,51824,51900,51977, 4459 52053,52129,52205,52280,52356,52432,52507,52582, 4460 52657,52732,52807,52881,52956,53030,53104,53178, 4461 53252,53326,53400,53473,53546,53620,53693,53766, 4462 53839,53911,53984,54056,54129,54201,54273,54345, 4463 54417,54489,54560,54632,54703,54774,54845,54916, 4464 54987,55058,55129,55199,55269,55340,55410,55480, 4465 55550,55620,55689,55759,55828,55898,55967,56036, 4466 56105,56174,56243,56311,56380,56448,56517,56585, 4467 56653,56721,56789,56857,56924,56992,57059,57127, 4468 57194,57261,57328,57395,57462,57529,57595,57662, 4469 57728,57795,57861,57927,57993,58059,58125,58191, 4470 58256,58322,58387,58453,58518,58583,58648,58713, 4471 58778,58843,58908,58972,59037,59101,59165,59230, 4472 59294,59358,59422,59486,59549,59613,59677,59740, 4473 59804,59867,59930,59993,60056,60119,60182,60245, 4474 60308,60370,60433,60495,60558,60620,60682,60744, 4475 60806,60868,60930,60992,61054,61115,61177,61238, 4476 61300,61361,61422,61483,61544,61605,61666,61727, 4477 61788,61848,61909,61969,62030,62090,62150,62211, 4478 62271,62331,62391,62450,62510,62570,62630,62689, 4479 62749,62808,62867,62927,62986,63045,63104,63163, 4480 63222,63281,63340,63398,63457,63515,63574,63632, 4481 63691,63749,63807,63865,63923,63981,64039,64097, 4482 64155,64212,64270,64328,64385,64443,64500,64557, 4483 64614,64672,64729,64786,64843,64900,64956,65013, 4484 65070,65126,65183,65239,65296,65352,65409,65465 4485 }; 4486 4487 const png_byte png_sRGB_delta[512] = 4488 { 4489 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54, 4490 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36, 4491 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28, 4492 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24, 4493 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21, 4494 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19, 4495 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17, 4496 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16, 4497 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15, 4498 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14, 4499 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13, 4500 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12, 4501 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12, 4502 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11, 4503 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4504 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4505 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4506 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4507 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4508 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4509 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4510 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4511 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4512 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4513 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4514 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4515 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4516 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4517 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7, 4518 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4519 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4520 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7 4521 }; 4522 #endif /* SIMPLIFIED READ/WRITE sRGB support */ 4523 4524 /* SIMPLIFIED READ/WRITE SUPPORT */ 4525 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4526 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4527 static int 4528 png_image_free_function(png_voidp argument) 4529 { 4530 png_imagep image = png_voidcast(png_imagep, argument); 4531 png_controlp cp = image->opaque; 4532 png_control c; 4533 4534 /* Double check that we have a png_ptr - it should be impossible to get here 4535 * without one. 4536 */ 4537 if (cp->png_ptr == NULL) 4538 return 0; 4539 4540 /* First free any data held in the control structure. */ 4541 # ifdef PNG_STDIO_SUPPORTED 4542 if (cp->owned_file != 0) 4543 { 4544 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr); 4545 cp->owned_file = 0; 4546 4547 /* Ignore errors here. */ 4548 if (fp != NULL) 4549 { 4550 cp->png_ptr->io_ptr = NULL; 4551 (void)fclose(fp); 4552 } 4553 } 4554 # endif 4555 4556 /* Copy the control structure so that the original, allocated, version can be 4557 * safely freed. Notice that a png_error here stops the remainder of the 4558 * cleanup, but this is probably fine because that would indicate bad memory 4559 * problems anyway. 4560 */ 4561 c = *cp; 4562 image->opaque = &c; 4563 png_free(c.png_ptr, cp); 4564 4565 /* Then the structures, calling the correct API. */ 4566 if (c.for_write != 0) 4567 { 4568 # ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED 4569 png_destroy_write_struct(&c.png_ptr, &c.info_ptr); 4570 # else 4571 png_error(c.png_ptr, "simplified write not supported"); 4572 # endif 4573 } 4574 else 4575 { 4576 # ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4577 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL); 4578 # else 4579 png_error(c.png_ptr, "simplified read not supported"); 4580 # endif 4581 } 4582 4583 /* Success. */ 4584 return 1; 4585 } 4586 4587 void PNGAPI 4588 png_image_free(png_imagep image) 4589 { 4590 /* Safely call the real function, but only if doing so is safe at this point 4591 * (if not inside an error handling context). Otherwise assume 4592 * png_safe_execute will call this API after the return. 4593 */ 4594 if (image != NULL && image->opaque != NULL && 4595 image->opaque->error_buf == NULL) 4596 { 4597 /* Ignore errors here: */ 4598 (void)png_safe_execute(image, png_image_free_function, image); 4599 image->opaque = NULL; 4600 } 4601 } 4602 4603 int /* PRIVATE */ 4604 png_image_error(png_imagep image, png_const_charp error_message) 4605 { 4606 /* Utility to log an error. */ 4607 png_safecat(image->message, (sizeof image->message), 0, error_message); 4608 image->warning_or_error |= PNG_IMAGE_ERROR; 4609 png_image_free(image); 4610 return 0; 4611 } 4612 4613 #endif /* SIMPLIFIED READ/WRITE */ 4614 #endif /* READ || WRITE */ 4615