1
2 /* pngpread.c - read a png file in push mode
3 *
4 * Copyright (c) 2018 Cosmin Truta
5 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6 * Copyright (c) 1996-1997 Andreas Dilger
7 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14 #include "pngpriv.h"
15
16 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
17
18 /* Push model modes */
19 #define PNG_READ_SIG_MODE 0
20 #define PNG_READ_CHUNK_MODE 1
21 #define PNG_READ_IDAT_MODE 2
22 #define PNG_READ_tEXt_MODE 4
23 #define PNG_READ_zTXt_MODE 5
24 #define PNG_READ_DONE_MODE 6
25 #define PNG_READ_iTXt_MODE 7
26 #define PNG_ERROR_MODE 8
27
28 #define PNG_PUSH_SAVE_BUFFER_IF_FULL \
29 if (png_ptr->push_length + 4 > png_ptr->buffer_size) \
30 { png_push_save_buffer(png_ptr); return; }
31 #define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \
32 if (png_ptr->buffer_size < N) \
33 { png_push_save_buffer(png_ptr); return; }
34
35 void PNGAPI
png_process_data(png_structrp png_ptr,png_inforp info_ptr,png_bytep buffer,size_t buffer_size)36 png_process_data(png_structrp png_ptr, png_inforp info_ptr,
37 png_bytep buffer, size_t buffer_size)
38 {
39 if (png_ptr == NULL || info_ptr == NULL)
40 return;
41
42 png_push_restore_buffer(png_ptr, buffer, buffer_size);
43
44 while (png_ptr->buffer_size)
45 {
46 png_process_some_data(png_ptr, info_ptr);
47 }
48 }
49
50 size_t PNGAPI
png_process_data_pause(png_structrp png_ptr,int save)51 png_process_data_pause(png_structrp png_ptr, int save)
52 {
53 if (png_ptr != NULL)
54 {
55 /* It's easiest for the caller if we do the save; then the caller doesn't
56 * have to supply the same data again:
57 */
58 if (save != 0)
59 png_push_save_buffer(png_ptr);
60 else
61 {
62 /* This includes any pending saved bytes: */
63 size_t remaining = png_ptr->buffer_size;
64 png_ptr->buffer_size = 0;
65
66 /* So subtract the saved buffer size, unless all the data
67 * is actually 'saved', in which case we just return 0
68 */
69 if (png_ptr->save_buffer_size < remaining)
70 return remaining - png_ptr->save_buffer_size;
71 }
72 }
73
74 return 0;
75 }
76
77 png_uint_32 PNGAPI
png_process_data_skip(png_structrp png_ptr)78 png_process_data_skip(png_structrp png_ptr)
79 {
80 /* TODO: Deprecate and remove this API.
81 * Somewhere the implementation of this seems to have been lost,
82 * or abandoned. It was only to support some internal back-door access
83 * to png_struct) in libpng-1.4.x.
84 */
85 png_app_warning(png_ptr,
86 "png_process_data_skip is not implemented in any current version of libpng");
87 return 0;
88 }
89
90 /* What we do with the incoming data depends on what we were previously
91 * doing before we ran out of data...
92 */
93 void /* PRIVATE */
png_process_some_data(png_structrp png_ptr,png_inforp info_ptr)94 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr)
95 {
96 if (png_ptr == NULL)
97 return;
98
99 switch (png_ptr->process_mode)
100 {
101 case PNG_READ_SIG_MODE:
102 {
103 png_push_read_sig(png_ptr, info_ptr);
104 break;
105 }
106
107 case PNG_READ_CHUNK_MODE:
108 {
109 png_push_read_chunk(png_ptr, info_ptr);
110 break;
111 }
112
113 case PNG_READ_IDAT_MODE:
114 {
115 png_push_read_IDAT(png_ptr);
116 break;
117 }
118
119 default:
120 {
121 png_ptr->buffer_size = 0;
122 break;
123 }
124 }
125 }
126
127 /* Read any remaining signature bytes from the stream and compare them with
128 * the correct PNG signature. It is possible that this routine is called
129 * with bytes already read from the signature, either because they have been
130 * checked by the calling application, or because of multiple calls to this
131 * routine.
132 */
133 void /* PRIVATE */
png_push_read_sig(png_structrp png_ptr,png_inforp info_ptr)134 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr)
135 {
136 size_t num_checked = png_ptr->sig_bytes; /* SAFE, does not exceed 8 */
137 size_t num_to_check = 8 - num_checked;
138
139 if (png_ptr->buffer_size < num_to_check)
140 {
141 num_to_check = png_ptr->buffer_size;
142 }
143
144 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]),
145 num_to_check);
146 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check);
147
148 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
149 {
150 if (num_checked < 4 &&
151 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
152 png_error(png_ptr, "Not a PNG file");
153
154 else
155 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
156 }
157 else
158 {
159 if (png_ptr->sig_bytes >= 8)
160 {
161 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
162 }
163 }
164 }
165
166 void /* PRIVATE */
png_push_read_chunk(png_structrp png_ptr,png_inforp info_ptr)167 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
168 {
169 png_uint_32 chunk_name;
170 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
171 int keep; /* unknown handling method */
172 #endif
173
174 /* First we make sure we have enough data for the 4-byte chunk name
175 * and the 4-byte chunk length before proceeding with decoding the
176 * chunk data. To fully decode each of these chunks, we also make
177 * sure we have enough data in the buffer for the 4-byte CRC at the
178 * end of every chunk (except IDAT, which is handled separately).
179 */
180 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
181 {
182 png_byte chunk_length[4];
183 png_byte chunk_tag[4];
184
185 PNG_PUSH_SAVE_BUFFER_IF_LT(8)
186 png_push_fill_buffer(png_ptr, chunk_length, 4);
187 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
188 png_reset_crc(png_ptr);
189 png_crc_read(png_ptr, chunk_tag, 4);
190 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
191 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
192 png_check_chunk_length(png_ptr, png_ptr->push_length);
193 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
194 }
195
196 chunk_name = png_ptr->chunk_name;
197
198 #ifdef PNG_READ_APNG_SUPPORTED
199 if (png_ptr->num_frames_read > 0 &&
200 png_ptr->num_frames_read < info_ptr->num_frames)
201 {
202 if (chunk_name == png_IDAT)
203 {
204 /* Discard trailing IDATs for the first frame */
205 if (png_ptr->mode & PNG_HAVE_fcTL || png_ptr->num_frames_read > 1)
206 png_error(png_ptr, "out of place IDAT");
207
208 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
209 {
210 png_push_save_buffer(png_ptr);
211 return;
212 }
213
214 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
215 return;
216 }
217 else if (chunk_name == png_fdAT)
218 {
219 if (png_ptr->buffer_size < 4)
220 {
221 png_push_save_buffer(png_ptr);
222 return;
223 }
224
225 png_ensure_sequence_number(png_ptr, 4);
226
227 if (!(png_ptr->mode & PNG_HAVE_fcTL))
228 {
229 /* Discard trailing fdATs for frames other than the first */
230 if (png_ptr->num_frames_read < 2)
231 png_error(png_ptr, "out of place fdAT");
232
233 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
234 {
235 png_push_save_buffer(png_ptr);
236 return;
237 }
238
239 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
240 return;
241 }
242
243 else
244 {
245 /* frame data follows */
246 png_ptr->idat_size = png_ptr->push_length - 4;
247 png_ptr->mode |= PNG_HAVE_IDAT;
248 png_ptr->process_mode = PNG_READ_IDAT_MODE;
249
250 return;
251 }
252 }
253
254 else if (chunk_name == png_fcTL)
255 {
256 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
257 {
258 png_push_save_buffer(png_ptr);
259 return;
260 }
261
262 png_read_reset(png_ptr);
263 png_ptr->mode &= ~PNG_HAVE_fcTL;
264
265 png_handle_fcTL(png_ptr, info_ptr, png_ptr->push_length);
266
267 if (!(png_ptr->mode & PNG_HAVE_fcTL))
268 png_error(png_ptr, "missing required fcTL chunk");
269
270 png_read_reinit(png_ptr, info_ptr);
271 png_progressive_read_reset(png_ptr);
272
273 if (png_ptr->frame_info_fn != NULL)
274 (*(png_ptr->frame_info_fn))(png_ptr, png_ptr->num_frames_read);
275
276 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
277
278 return;
279 }
280
281 else
282 {
283 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
284 {
285 png_push_save_buffer(png_ptr);
286 return;
287 }
288 png_warning(png_ptr, "Skipped (ignored) a chunk "
289 "between APNG chunks");
290 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
291 return;
292 }
293
294 return;
295 }
296 #endif /* PNG_READ_APNG_SUPPORTED */
297
298 if (chunk_name == png_IDAT)
299 {
300 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
301 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
302
303 /* If we reach an IDAT chunk, this means we have read all of the
304 * header chunks, and we can start reading the image (or if this
305 * is called after the image has been read - we have an error).
306 */
307 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
308 png_error(png_ptr, "Missing IHDR before IDAT");
309
310 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
311 (png_ptr->mode & PNG_HAVE_PLTE) == 0)
312 png_error(png_ptr, "Missing PLTE before IDAT");
313
314 png_ptr->process_mode = PNG_READ_IDAT_MODE;
315
316 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
317 if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0)
318 if (png_ptr->push_length == 0)
319 return;
320
321 png_ptr->mode |= PNG_HAVE_IDAT;
322
323 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
324 png_benign_error(png_ptr, "Too many IDATs found");
325 }
326
327 if (chunk_name == png_IHDR)
328 {
329 if (png_ptr->push_length != 13)
330 png_error(png_ptr, "Invalid IHDR length");
331
332 PNG_PUSH_SAVE_BUFFER_IF_FULL
333 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length);
334 }
335
336 else if (chunk_name == png_IEND)
337 {
338 PNG_PUSH_SAVE_BUFFER_IF_FULL
339 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length);
340
341 png_ptr->process_mode = PNG_READ_DONE_MODE;
342 png_push_have_end(png_ptr, info_ptr);
343 }
344
345 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
346 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0)
347 {
348 PNG_PUSH_SAVE_BUFFER_IF_FULL
349 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep);
350
351 if (chunk_name == png_PLTE)
352 png_ptr->mode |= PNG_HAVE_PLTE;
353 }
354 #endif
355
356 else if (chunk_name == png_PLTE)
357 {
358 PNG_PUSH_SAVE_BUFFER_IF_FULL
359 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length);
360 }
361
362 else if (chunk_name == png_IDAT)
363 {
364 #ifdef PNG_READ_APNG_SUPPORTED
365 png_have_info(png_ptr, info_ptr);
366 #endif
367 png_ptr->idat_size = png_ptr->push_length;
368 png_ptr->process_mode = PNG_READ_IDAT_MODE;
369 png_push_have_info(png_ptr, info_ptr);
370 png_ptr->zstream.avail_out =
371 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
372 png_ptr->iwidth) + 1;
373 png_ptr->zstream.next_out = png_ptr->row_buf;
374 return;
375 }
376
377 #ifdef PNG_READ_gAMA_SUPPORTED
378 else if (png_ptr->chunk_name == png_gAMA)
379 {
380 PNG_PUSH_SAVE_BUFFER_IF_FULL
381 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length);
382 }
383
384 #endif
385 #ifdef PNG_READ_sBIT_SUPPORTED
386 else if (png_ptr->chunk_name == png_sBIT)
387 {
388 PNG_PUSH_SAVE_BUFFER_IF_FULL
389 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length);
390 }
391
392 #endif
393 #ifdef PNG_READ_cHRM_SUPPORTED
394 else if (png_ptr->chunk_name == png_cHRM)
395 {
396 PNG_PUSH_SAVE_BUFFER_IF_FULL
397 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length);
398 }
399
400 #endif
401 #ifdef PNG_READ_sRGB_SUPPORTED
402 else if (chunk_name == png_sRGB)
403 {
404 PNG_PUSH_SAVE_BUFFER_IF_FULL
405 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length);
406 }
407
408 #endif
409 #ifdef PNG_READ_iCCP_SUPPORTED
410 else if (png_ptr->chunk_name == png_iCCP)
411 {
412 PNG_PUSH_SAVE_BUFFER_IF_FULL
413 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length);
414 }
415
416 #endif
417 #ifdef PNG_READ_sPLT_SUPPORTED
418 else if (chunk_name == png_sPLT)
419 {
420 PNG_PUSH_SAVE_BUFFER_IF_FULL
421 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length);
422 }
423
424 #endif
425 #ifdef PNG_READ_tRNS_SUPPORTED
426 else if (chunk_name == png_tRNS)
427 {
428 PNG_PUSH_SAVE_BUFFER_IF_FULL
429 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length);
430 }
431
432 #endif
433 #ifdef PNG_READ_bKGD_SUPPORTED
434 else if (chunk_name == png_bKGD)
435 {
436 PNG_PUSH_SAVE_BUFFER_IF_FULL
437 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length);
438 }
439
440 #endif
441 #ifdef PNG_READ_hIST_SUPPORTED
442 else if (chunk_name == png_hIST)
443 {
444 PNG_PUSH_SAVE_BUFFER_IF_FULL
445 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length);
446 }
447
448 #endif
449 #ifdef PNG_READ_pHYs_SUPPORTED
450 else if (chunk_name == png_pHYs)
451 {
452 PNG_PUSH_SAVE_BUFFER_IF_FULL
453 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length);
454 }
455
456 #endif
457 #ifdef PNG_READ_oFFs_SUPPORTED
458 else if (chunk_name == png_oFFs)
459 {
460 PNG_PUSH_SAVE_BUFFER_IF_FULL
461 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length);
462 }
463 #endif
464
465 #ifdef PNG_READ_pCAL_SUPPORTED
466 else if (chunk_name == png_pCAL)
467 {
468 PNG_PUSH_SAVE_BUFFER_IF_FULL
469 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length);
470 }
471
472 #endif
473 #ifdef PNG_READ_sCAL_SUPPORTED
474 else if (chunk_name == png_sCAL)
475 {
476 PNG_PUSH_SAVE_BUFFER_IF_FULL
477 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length);
478 }
479
480 #endif
481 #ifdef PNG_READ_tIME_SUPPORTED
482 else if (chunk_name == png_tIME)
483 {
484 PNG_PUSH_SAVE_BUFFER_IF_FULL
485 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length);
486 }
487
488 #endif
489 #ifdef PNG_READ_tEXt_SUPPORTED
490 else if (chunk_name == png_tEXt)
491 {
492 PNG_PUSH_SAVE_BUFFER_IF_FULL
493 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length);
494 }
495
496 #endif
497 #ifdef PNG_READ_zTXt_SUPPORTED
498 else if (chunk_name == png_zTXt)
499 {
500 PNG_PUSH_SAVE_BUFFER_IF_FULL
501 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length);
502 }
503
504 #endif
505 #ifdef PNG_READ_iTXt_SUPPORTED
506 else if (chunk_name == png_iTXt)
507 {
508 PNG_PUSH_SAVE_BUFFER_IF_FULL
509 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length);
510 }
511 #endif
512 #ifdef PNG_READ_APNG_SUPPORTED
513 else if (chunk_name == png_acTL)
514 {
515 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
516 {
517 png_push_save_buffer(png_ptr);
518 return;
519 }
520
521 png_handle_acTL(png_ptr, info_ptr, png_ptr->push_length);
522 }
523
524 else if (chunk_name == png_fcTL)
525 {
526 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
527 {
528 png_push_save_buffer(png_ptr);
529 return;
530 }
531
532 png_handle_fcTL(png_ptr, info_ptr, png_ptr->push_length);
533 }
534
535 #endif /* PNG_READ_APNG_SUPPORTED */
536
537 else
538 {
539 PNG_PUSH_SAVE_BUFFER_IF_FULL
540 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length,
541 PNG_HANDLE_CHUNK_AS_DEFAULT);
542 }
543
544 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
545 }
546
547 void PNGCBAPI
png_push_fill_buffer(png_structp png_ptr,png_bytep buffer,size_t length)548 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, size_t length)
549 {
550 png_bytep ptr;
551
552 if (png_ptr == NULL)
553 return;
554
555 ptr = buffer;
556 if (png_ptr->save_buffer_size != 0)
557 {
558 size_t save_size;
559
560 if (length < png_ptr->save_buffer_size)
561 save_size = length;
562
563 else
564 save_size = png_ptr->save_buffer_size;
565
566 memcpy(ptr, png_ptr->save_buffer_ptr, save_size);
567 length -= save_size;
568 ptr += save_size;
569 png_ptr->buffer_size -= save_size;
570 png_ptr->save_buffer_size -= save_size;
571 png_ptr->save_buffer_ptr += save_size;
572 }
573 if (length != 0 && png_ptr->current_buffer_size != 0)
574 {
575 size_t save_size;
576
577 if (length < png_ptr->current_buffer_size)
578 save_size = length;
579
580 else
581 save_size = png_ptr->current_buffer_size;
582
583 memcpy(ptr, png_ptr->current_buffer_ptr, save_size);
584 png_ptr->buffer_size -= save_size;
585 png_ptr->current_buffer_size -= save_size;
586 png_ptr->current_buffer_ptr += save_size;
587 }
588 }
589
590 void /* PRIVATE */
png_push_save_buffer(png_structrp png_ptr)591 png_push_save_buffer(png_structrp png_ptr)
592 {
593 if (png_ptr->save_buffer_size != 0)
594 {
595 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer)
596 {
597 size_t i, istop;
598 png_bytep sp;
599 png_bytep dp;
600
601 istop = png_ptr->save_buffer_size;
602 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer;
603 i < istop; i++, sp++, dp++)
604 {
605 *dp = *sp;
606 }
607 }
608 }
609 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size >
610 png_ptr->save_buffer_max)
611 {
612 size_t new_max;
613 png_bytep old_buffer;
614
615 if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
616 (png_ptr->current_buffer_size + 256))
617 {
618 png_error(png_ptr, "Potential overflow of save_buffer");
619 }
620
621 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
622 old_buffer = png_ptr->save_buffer;
623 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr,
624 (size_t)new_max);
625
626 if (png_ptr->save_buffer == NULL)
627 {
628 png_free(png_ptr, old_buffer);
629 png_error(png_ptr, "Insufficient memory for save_buffer");
630 }
631
632 if (old_buffer)
633 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
634 else if (png_ptr->save_buffer_size)
635 png_error(png_ptr, "save_buffer error");
636 png_free(png_ptr, old_buffer);
637 png_ptr->save_buffer_max = new_max;
638 }
639 if (png_ptr->current_buffer_size)
640 {
641 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size,
642 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size);
643 png_ptr->save_buffer_size += png_ptr->current_buffer_size;
644 png_ptr->current_buffer_size = 0;
645 }
646 png_ptr->save_buffer_ptr = png_ptr->save_buffer;
647 png_ptr->buffer_size = 0;
648 }
649
650 void /* PRIVATE */
png_push_restore_buffer(png_structrp png_ptr,png_bytep buffer,size_t buffer_length)651 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer,
652 size_t buffer_length)
653 {
654 png_ptr->current_buffer = buffer;
655 png_ptr->current_buffer_size = buffer_length;
656 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size;
657 png_ptr->current_buffer_ptr = png_ptr->current_buffer;
658 }
659
660 void /* PRIVATE */
png_push_read_IDAT(png_structrp png_ptr)661 png_push_read_IDAT(png_structrp png_ptr)
662 {
663 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
664 {
665 png_byte chunk_length[4];
666 png_byte chunk_tag[4];
667
668 /* TODO: this code can be commoned up with the same code in push_read */
669 #ifdef PNG_READ_APNG_SUPPORTED
670 PNG_PUSH_SAVE_BUFFER_IF_LT(12)
671 #else
672 PNG_PUSH_SAVE_BUFFER_IF_LT(8)
673 #endif
674 png_push_fill_buffer(png_ptr, chunk_length, 4);
675 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
676 png_reset_crc(png_ptr);
677 png_crc_read(png_ptr, chunk_tag, 4);
678 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
679 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
680
681 #ifdef PNG_READ_APNG_SUPPORTED
682 if (png_ptr->chunk_name != png_fdAT && png_ptr->num_frames_read > 0)
683 {
684 if (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED)
685 {
686 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
687 if (png_ptr->frame_end_fn != NULL)
688 (*(png_ptr->frame_end_fn))(png_ptr, png_ptr->num_frames_read);
689 png_ptr->num_frames_read++;
690 return;
691 }
692 else
693 {
694 if (png_ptr->chunk_name == png_IEND)
695 png_error(png_ptr, "Not enough image data");
696 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
697 {
698 png_push_save_buffer(png_ptr);
699 return;
700 }
701 png_warning(png_ptr, "Skipping (ignoring) a chunk between "
702 "APNG chunks");
703 png_crc_finish(png_ptr, png_ptr->push_length);
704 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
705 return;
706 }
707 }
708 else
709 #endif
710 #ifdef PNG_READ_APNG_SUPPORTED
711 if (png_ptr->chunk_name != png_IDAT && png_ptr->num_frames_read == 0)
712 #else
713 if (png_ptr->chunk_name != png_IDAT)
714 #endif
715 {
716 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
717
718 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
719 png_error(png_ptr, "Not enough compressed data");
720
721 #ifdef PNG_READ_APNG_SUPPORTED
722 if (png_ptr->frame_end_fn != NULL)
723 (*(png_ptr->frame_end_fn))(png_ptr, png_ptr->num_frames_read);
724 png_ptr->num_frames_read++;
725 #endif
726
727 return;
728 }
729
730 png_ptr->idat_size = png_ptr->push_length;
731
732 #ifdef PNG_READ_APNG_SUPPORTED
733 if (png_ptr->num_frames_read > 0)
734 {
735 png_ensure_sequence_number(png_ptr, 4);
736 png_ptr->idat_size -= 4;
737 }
738 #endif
739 }
740
741 if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0)
742 {
743 size_t save_size = png_ptr->save_buffer_size;
744 png_uint_32 idat_size = png_ptr->idat_size;
745
746 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
747 * are of different types and we don't know which variable has the fewest
748 * bits. Carefully select the smaller and cast it to the type of the
749 * larger - this cannot overflow. Do not cast in the following test - it
750 * will break on either 16-bit or 64-bit platforms.
751 */
752 if (idat_size < save_size)
753 save_size = (size_t)idat_size;
754
755 else
756 idat_size = (png_uint_32)save_size;
757
758 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
759
760 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
761
762 png_ptr->idat_size -= idat_size;
763 png_ptr->buffer_size -= save_size;
764 png_ptr->save_buffer_size -= save_size;
765 png_ptr->save_buffer_ptr += save_size;
766 }
767
768 if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0)
769 {
770 size_t save_size = png_ptr->current_buffer_size;
771 png_uint_32 idat_size = png_ptr->idat_size;
772
773 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
774 * are of different types and we don't know which variable has the fewest
775 * bits. Carefully select the smaller and cast it to the type of the
776 * larger - this cannot overflow.
777 */
778 if (idat_size < save_size)
779 save_size = (size_t)idat_size;
780
781 else
782 idat_size = (png_uint_32)save_size;
783
784 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
785
786 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
787
788 png_ptr->idat_size -= idat_size;
789 png_ptr->buffer_size -= save_size;
790 png_ptr->current_buffer_size -= save_size;
791 png_ptr->current_buffer_ptr += save_size;
792 }
793
794 if (png_ptr->idat_size == 0)
795 {
796 PNG_PUSH_SAVE_BUFFER_IF_LT(4)
797 png_crc_finish(png_ptr, 0);
798 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
799 png_ptr->mode |= PNG_AFTER_IDAT;
800 png_ptr->zowner = 0;
801 }
802 }
803
804 void /* PRIVATE */
png_process_IDAT_data(png_structrp png_ptr,png_bytep buffer,size_t buffer_length)805 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer,
806 size_t buffer_length)
807 {
808 /* The caller checks for a non-zero buffer length. */
809 if (!(buffer_length > 0) || buffer == NULL)
810 png_error(png_ptr, "No IDAT data (internal error)");
811
812 #ifdef PNG_READ_APNG_SUPPORTED
813 /* If the app is not APNG-aware, decode only the first frame */
814 if (!(png_ptr->apng_flags & PNG_APNG_APP) && png_ptr->num_frames_read > 0)
815 {
816 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
817 return;
818 }
819 #endif
820
821 /* This routine must process all the data it has been given
822 * before returning, calling the row callback as required to
823 * handle the uncompressed results.
824 */
825 png_ptr->zstream.next_in = buffer;
826 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
827 png_ptr->zstream.avail_in = (uInt)buffer_length;
828
829 /* Keep going until the decompressed data is all processed
830 * or the stream marked as finished.
831 */
832 while (png_ptr->zstream.avail_in > 0 &&
833 (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
834 {
835 int ret;
836
837 /* We have data for zlib, but we must check that zlib
838 * has someplace to put the results. It doesn't matter
839 * if we don't expect any results -- it may be the input
840 * data is just the LZ end code.
841 */
842 if (!(png_ptr->zstream.avail_out > 0))
843 {
844 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
845 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth,
846 png_ptr->iwidth) + 1);
847
848 png_ptr->zstream.next_out = png_ptr->row_buf;
849 }
850
851 /* Using Z_SYNC_FLUSH here means that an unterminated
852 * LZ stream (a stream with a missing end code) can still
853 * be handled, otherwise (Z_NO_FLUSH) a future zlib
854 * implementation might defer output and therefore
855 * change the current behavior (see comments in inflate.c
856 * for why this doesn't happen at present with zlib 1.2.5).
857 */
858 ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH);
859
860 /* Check for any failure before proceeding. */
861 if (ret != Z_OK && ret != Z_STREAM_END)
862 {
863 /* Terminate the decompression. */
864 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
865 png_ptr->zowner = 0;
866
867 /* This may be a truncated stream (missing or
868 * damaged end code). Treat that as a warning.
869 */
870 if (png_ptr->row_number >= png_ptr->num_rows ||
871 png_ptr->pass > 6)
872 png_warning(png_ptr, "Truncated compressed data in IDAT");
873
874 else
875 {
876 if (ret == Z_DATA_ERROR)
877 png_benign_error(png_ptr, "IDAT: ADLER32 checksum mismatch");
878 else
879 png_error(png_ptr, "Decompression error in IDAT");
880 }
881
882 /* Skip the check on unprocessed input */
883 return;
884 }
885
886 /* Did inflate output any data? */
887 if (png_ptr->zstream.next_out != png_ptr->row_buf)
888 {
889 /* Is this unexpected data after the last row?
890 * If it is, artificially terminate the LZ output
891 * here.
892 */
893 if (png_ptr->row_number >= png_ptr->num_rows ||
894 png_ptr->pass > 6)
895 {
896 /* Extra data. */
897 png_warning(png_ptr, "Extra compressed data in IDAT");
898 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
899 png_ptr->zowner = 0;
900
901 /* Do no more processing; skip the unprocessed
902 * input check below.
903 */
904 return;
905 }
906
907 /* Do we have a complete row? */
908 if (png_ptr->zstream.avail_out == 0)
909 png_push_process_row(png_ptr);
910 }
911
912 /* And check for the end of the stream. */
913 if (ret == Z_STREAM_END)
914 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
915 }
916
917 /* All the data should have been processed, if anything
918 * is left at this point we have bytes of IDAT data
919 * after the zlib end code.
920 */
921 if (png_ptr->zstream.avail_in > 0)
922 png_warning(png_ptr, "Extra compression data in IDAT");
923 }
924
925 void /* PRIVATE */
png_push_process_row(png_structrp png_ptr)926 png_push_process_row(png_structrp png_ptr)
927 {
928 /* 1.5.6: row_info moved out of png_struct to a local here. */
929 png_row_info row_info;
930
931 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */
932 row_info.color_type = png_ptr->color_type;
933 row_info.bit_depth = png_ptr->bit_depth;
934 row_info.channels = png_ptr->channels;
935 row_info.pixel_depth = png_ptr->pixel_depth;
936 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width);
937
938 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE)
939 {
940 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST)
941 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1,
942 png_ptr->prev_row + 1, png_ptr->row_buf[0]);
943 else
944 png_error(png_ptr, "bad adaptive filter value");
945 }
946
947 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
948 * 1.5.6, while the buffer really is this big in current versions of libpng
949 * it may not be in the future, so this was changed just to copy the
950 * interlaced row count:
951 */
952 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1);
953
954 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
955 if (png_ptr->transformations != 0)
956 png_do_read_transformations(png_ptr, &row_info);
957 #endif
958
959 /* The transformed pixel depth should match the depth now in row_info. */
960 if (png_ptr->transformed_pixel_depth == 0)
961 {
962 png_ptr->transformed_pixel_depth = row_info.pixel_depth;
963 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth)
964 png_error(png_ptr, "progressive row overflow");
965 }
966
967 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth)
968 png_error(png_ptr, "internal progressive row size calculation error");
969
970
971 #ifdef PNG_READ_INTERLACING_SUPPORTED
972 /* Expand interlaced rows to full size */
973 if (png_ptr->interlaced != 0 &&
974 (png_ptr->transformations & PNG_INTERLACE) != 0)
975 {
976 if (png_ptr->pass < 6)
977 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass,
978 png_ptr->transformations);
979
980 switch (png_ptr->pass)
981 {
982 case 0:
983 {
984 int i;
985 for (i = 0; i < 8 && png_ptr->pass == 0; i++)
986 {
987 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
988 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */
989 }
990
991 if (png_ptr->pass == 2) /* Pass 1 might be empty */
992 {
993 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
994 {
995 png_push_have_row(png_ptr, NULL);
996 png_read_push_finish_row(png_ptr);
997 }
998 }
999
1000 if (png_ptr->pass == 4 && png_ptr->height <= 4)
1001 {
1002 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1003 {
1004 png_push_have_row(png_ptr, NULL);
1005 png_read_push_finish_row(png_ptr);
1006 }
1007 }
1008
1009 if (png_ptr->pass == 6 && png_ptr->height <= 4)
1010 {
1011 png_push_have_row(png_ptr, NULL);
1012 png_read_push_finish_row(png_ptr);
1013 }
1014
1015 break;
1016 }
1017
1018 case 1:
1019 {
1020 int i;
1021 for (i = 0; i < 8 && png_ptr->pass == 1; i++)
1022 {
1023 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1024 png_read_push_finish_row(png_ptr);
1025 }
1026
1027 if (png_ptr->pass == 2) /* Skip top 4 generated rows */
1028 {
1029 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1030 {
1031 png_push_have_row(png_ptr, NULL);
1032 png_read_push_finish_row(png_ptr);
1033 }
1034 }
1035
1036 break;
1037 }
1038
1039 case 2:
1040 {
1041 int i;
1042
1043 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1044 {
1045 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1046 png_read_push_finish_row(png_ptr);
1047 }
1048
1049 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1050 {
1051 png_push_have_row(png_ptr, NULL);
1052 png_read_push_finish_row(png_ptr);
1053 }
1054
1055 if (png_ptr->pass == 4) /* Pass 3 might be empty */
1056 {
1057 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1058 {
1059 png_push_have_row(png_ptr, NULL);
1060 png_read_push_finish_row(png_ptr);
1061 }
1062 }
1063
1064 break;
1065 }
1066
1067 case 3:
1068 {
1069 int i;
1070
1071 for (i = 0; i < 4 && png_ptr->pass == 3; i++)
1072 {
1073 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1074 png_read_push_finish_row(png_ptr);
1075 }
1076
1077 if (png_ptr->pass == 4) /* Skip top two generated rows */
1078 {
1079 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1080 {
1081 png_push_have_row(png_ptr, NULL);
1082 png_read_push_finish_row(png_ptr);
1083 }
1084 }
1085
1086 break;
1087 }
1088
1089 case 4:
1090 {
1091 int i;
1092
1093 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1094 {
1095 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1096 png_read_push_finish_row(png_ptr);
1097 }
1098
1099 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1100 {
1101 png_push_have_row(png_ptr, NULL);
1102 png_read_push_finish_row(png_ptr);
1103 }
1104
1105 if (png_ptr->pass == 6) /* Pass 5 might be empty */
1106 {
1107 png_push_have_row(png_ptr, NULL);
1108 png_read_push_finish_row(png_ptr);
1109 }
1110
1111 break;
1112 }
1113
1114 case 5:
1115 {
1116 int i;
1117
1118 for (i = 0; i < 2 && png_ptr->pass == 5; i++)
1119 {
1120 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1121 png_read_push_finish_row(png_ptr);
1122 }
1123
1124 if (png_ptr->pass == 6) /* Skip top generated row */
1125 {
1126 png_push_have_row(png_ptr, NULL);
1127 png_read_push_finish_row(png_ptr);
1128 }
1129
1130 break;
1131 }
1132
1133 default:
1134 case 6:
1135 {
1136 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1137 png_read_push_finish_row(png_ptr);
1138
1139 if (png_ptr->pass != 6)
1140 break;
1141
1142 png_push_have_row(png_ptr, NULL);
1143 png_read_push_finish_row(png_ptr);
1144 }
1145 }
1146 }
1147 else
1148 #endif
1149 {
1150 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1151 png_read_push_finish_row(png_ptr);
1152 }
1153 }
1154
1155 void /* PRIVATE */
png_read_push_finish_row(png_structrp png_ptr)1156 png_read_push_finish_row(png_structrp png_ptr)
1157 {
1158 #ifdef PNG_READ_INTERLACING_SUPPORTED
1159 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
1160
1161 /* Start of interlace block */
1162 static const png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
1163
1164 /* Offset to next interlace block */
1165 static const png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
1166
1167 /* Start of interlace block in the y direction */
1168 static const png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
1169
1170 /* Offset to next interlace block in the y direction */
1171 static const png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
1172
1173 /* Height of interlace block. This is not currently used - if you need
1174 * it, uncomment it here and in png.h
1175 static const png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
1176 */
1177 #endif
1178
1179 png_ptr->row_number++;
1180 if (png_ptr->row_number < png_ptr->num_rows)
1181 return;
1182
1183 #ifdef PNG_READ_INTERLACING_SUPPORTED
1184 if (png_ptr->interlaced != 0)
1185 {
1186 png_ptr->row_number = 0;
1187 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
1188
1189 do
1190 {
1191 png_ptr->pass++;
1192 if ((png_ptr->pass == 1 && png_ptr->width < 5) ||
1193 (png_ptr->pass == 3 && png_ptr->width < 3) ||
1194 (png_ptr->pass == 5 && png_ptr->width < 2))
1195 png_ptr->pass++;
1196
1197 if (png_ptr->pass > 7)
1198 png_ptr->pass--;
1199
1200 if (png_ptr->pass >= 7)
1201 break;
1202
1203 png_ptr->iwidth = (png_ptr->width +
1204 png_pass_inc[png_ptr->pass] - 1 -
1205 png_pass_start[png_ptr->pass]) /
1206 png_pass_inc[png_ptr->pass];
1207
1208 if ((png_ptr->transformations & PNG_INTERLACE) != 0)
1209 break;
1210
1211 png_ptr->num_rows = (png_ptr->height +
1212 png_pass_yinc[png_ptr->pass] - 1 -
1213 png_pass_ystart[png_ptr->pass]) /
1214 png_pass_yinc[png_ptr->pass];
1215
1216 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0);
1217 }
1218 #endif /* READ_INTERLACING */
1219 }
1220
1221 void /* PRIVATE */
png_push_have_info(png_structrp png_ptr,png_inforp info_ptr)1222 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr)
1223 {
1224 if (png_ptr->info_fn != NULL)
1225 (*(png_ptr->info_fn))(png_ptr, info_ptr);
1226 }
1227
1228 void /* PRIVATE */
png_push_have_end(png_structrp png_ptr,png_inforp info_ptr)1229 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr)
1230 {
1231 if (png_ptr->end_fn != NULL)
1232 (*(png_ptr->end_fn))(png_ptr, info_ptr);
1233 }
1234
1235 void /* PRIVATE */
png_push_have_row(png_structrp png_ptr,png_bytep row)1236 png_push_have_row(png_structrp png_ptr, png_bytep row)
1237 {
1238 if (png_ptr->row_fn != NULL)
1239 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number,
1240 (int)png_ptr->pass);
1241 }
1242
1243 #ifdef PNG_READ_INTERLACING_SUPPORTED
1244 void PNGAPI
png_progressive_combine_row(png_const_structrp png_ptr,png_bytep old_row,png_const_bytep new_row)1245 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row,
1246 png_const_bytep new_row)
1247 {
1248 if (png_ptr == NULL)
1249 return;
1250
1251 /* new_row is a flag here - if it is NULL then the app callback was called
1252 * from an empty row (see the calls to png_struct::row_fn below), otherwise
1253 * it must be png_ptr->row_buf+1
1254 */
1255 if (new_row != NULL)
1256 png_combine_row(png_ptr, old_row, 1/*blocky display*/);
1257 }
1258 #endif /* READ_INTERLACING */
1259
1260 void PNGAPI
png_set_progressive_read_fn(png_structrp png_ptr,png_voidp progressive_ptr,png_progressive_info_ptr info_fn,png_progressive_row_ptr row_fn,png_progressive_end_ptr end_fn)1261 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr,
1262 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn,
1263 png_progressive_end_ptr end_fn)
1264 {
1265 if (png_ptr == NULL)
1266 return;
1267
1268 png_ptr->info_fn = info_fn;
1269 png_ptr->row_fn = row_fn;
1270 png_ptr->end_fn = end_fn;
1271
1272 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer);
1273 }
1274
1275 #ifdef PNG_READ_APNG_SUPPORTED
1276 void PNGAPI
png_set_progressive_frame_fn(png_structp png_ptr,png_progressive_frame_ptr frame_info_fn,png_progressive_frame_ptr frame_end_fn)1277 png_set_progressive_frame_fn(png_structp png_ptr,
1278 png_progressive_frame_ptr frame_info_fn,
1279 png_progressive_frame_ptr frame_end_fn)
1280 {
1281 png_ptr->frame_info_fn = frame_info_fn;
1282 png_ptr->frame_end_fn = frame_end_fn;
1283 png_ptr->apng_flags |= PNG_APNG_APP;
1284 }
1285 #endif
1286
1287 png_voidp PNGAPI
png_get_progressive_ptr(png_const_structrp png_ptr)1288 png_get_progressive_ptr(png_const_structrp png_ptr)
1289 {
1290 if (png_ptr == NULL)
1291 return (NULL);
1292
1293 return png_ptr->io_ptr;
1294 }
1295 #endif /* PROGRESSIVE_READ */
1296