1 
2 /* pngset.c - storage of image information into info struct
3  *
4  * Last changed in libpng 1.6.18 [July 23, 2015]
5  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
6  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  *
13  * The functions here are used during reads to store data from the file
14  * into the info struct, and during writes to store application data
15  * into the info struct for writing into the file.  This abstracts the
16  * info struct and allows us to change the structure in the future.
17  */
18 
19 #include "pngpriv.h"
20 
21 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
22 
23 #ifdef PNG_bKGD_SUPPORTED
24 void PNGAPI
png_set_bKGD(png_const_structrp png_ptr,png_inforp info_ptr,png_const_color_16p background)25 png_set_bKGD(png_const_structrp png_ptr, png_inforp info_ptr,
26     png_const_color_16p background)
27 {
28    png_debug1(1, "in %s storage function", "bKGD");
29 
30    if (png_ptr == NULL || info_ptr == NULL || background == NULL)
31       return;
32 
33    info_ptr->background = *background;
34    info_ptr->valid |= PNG_INFO_bKGD;
35 }
36 #endif
37 
38 #ifdef PNG_cHRM_SUPPORTED
39 void PNGFAPI
png_set_cHRM_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point white_x,png_fixed_point white_y,png_fixed_point red_x,png_fixed_point red_y,png_fixed_point green_x,png_fixed_point green_y,png_fixed_point blue_x,png_fixed_point blue_y)40 png_set_cHRM_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
41     png_fixed_point white_x, png_fixed_point white_y, png_fixed_point red_x,
42     png_fixed_point red_y, png_fixed_point green_x, png_fixed_point green_y,
43     png_fixed_point blue_x, png_fixed_point blue_y)
44 {
45    png_xy xy;
46 
47    png_debug1(1, "in %s storage function", "cHRM fixed");
48 
49    if (png_ptr == NULL || info_ptr == NULL)
50       return;
51 
52    xy.redx = red_x;
53    xy.redy = red_y;
54    xy.greenx = green_x;
55    xy.greeny = green_y;
56    xy.bluex = blue_x;
57    xy.bluey = blue_y;
58    xy.whitex = white_x;
59    xy.whitey = white_y;
60 
61    if (png_colorspace_set_chromaticities(png_ptr, &info_ptr->colorspace, &xy,
62        2/* override with app values*/) != 0)
63       info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
64 
65    png_colorspace_sync_info(png_ptr, info_ptr);
66 }
67 
68 void PNGFAPI
png_set_cHRM_XYZ_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point int_red_X,png_fixed_point int_red_Y,png_fixed_point int_red_Z,png_fixed_point int_green_X,png_fixed_point int_green_Y,png_fixed_point int_green_Z,png_fixed_point int_blue_X,png_fixed_point int_blue_Y,png_fixed_point int_blue_Z)69 png_set_cHRM_XYZ_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
70     png_fixed_point int_red_X, png_fixed_point int_red_Y,
71     png_fixed_point int_red_Z, png_fixed_point int_green_X,
72     png_fixed_point int_green_Y, png_fixed_point int_green_Z,
73     png_fixed_point int_blue_X, png_fixed_point int_blue_Y,
74     png_fixed_point int_blue_Z)
75 {
76    png_XYZ XYZ;
77 
78    png_debug1(1, "in %s storage function", "cHRM XYZ fixed");
79 
80    if (png_ptr == NULL || info_ptr == NULL)
81       return;
82 
83    XYZ.red_X = int_red_X;
84    XYZ.red_Y = int_red_Y;
85    XYZ.red_Z = int_red_Z;
86    XYZ.green_X = int_green_X;
87    XYZ.green_Y = int_green_Y;
88    XYZ.green_Z = int_green_Z;
89    XYZ.blue_X = int_blue_X;
90    XYZ.blue_Y = int_blue_Y;
91    XYZ.blue_Z = int_blue_Z;
92 
93    if (png_colorspace_set_endpoints(png_ptr, &info_ptr->colorspace,
94        &XYZ, 2) != 0)
95       info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
96 
97    png_colorspace_sync_info(png_ptr, info_ptr);
98 }
99 
100 #  ifdef PNG_FLOATING_POINT_SUPPORTED
101 void PNGAPI
png_set_cHRM(png_const_structrp png_ptr,png_inforp info_ptr,double white_x,double white_y,double red_x,double red_y,double green_x,double green_y,double blue_x,double blue_y)102 png_set_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
103     double white_x, double white_y, double red_x, double red_y,
104     double green_x, double green_y, double blue_x, double blue_y)
105 {
106    png_set_cHRM_fixed(png_ptr, info_ptr,
107       png_fixed(png_ptr, white_x, "cHRM White X"),
108       png_fixed(png_ptr, white_y, "cHRM White Y"),
109       png_fixed(png_ptr, red_x, "cHRM Red X"),
110       png_fixed(png_ptr, red_y, "cHRM Red Y"),
111       png_fixed(png_ptr, green_x, "cHRM Green X"),
112       png_fixed(png_ptr, green_y, "cHRM Green Y"),
113       png_fixed(png_ptr, blue_x, "cHRM Blue X"),
114       png_fixed(png_ptr, blue_y, "cHRM Blue Y"));
115 }
116 
117 void PNGAPI
png_set_cHRM_XYZ(png_const_structrp png_ptr,png_inforp info_ptr,double red_X,double red_Y,double red_Z,double green_X,double green_Y,double green_Z,double blue_X,double blue_Y,double blue_Z)118 png_set_cHRM_XYZ(png_const_structrp png_ptr, png_inforp info_ptr, double red_X,
119     double red_Y, double red_Z, double green_X, double green_Y, double green_Z,
120     double blue_X, double blue_Y, double blue_Z)
121 {
122    png_set_cHRM_XYZ_fixed(png_ptr, info_ptr,
123       png_fixed(png_ptr, red_X, "cHRM Red X"),
124       png_fixed(png_ptr, red_Y, "cHRM Red Y"),
125       png_fixed(png_ptr, red_Z, "cHRM Red Z"),
126       png_fixed(png_ptr, green_X, "cHRM Red X"),
127       png_fixed(png_ptr, green_Y, "cHRM Red Y"),
128       png_fixed(png_ptr, green_Z, "cHRM Red Z"),
129       png_fixed(png_ptr, blue_X, "cHRM Red X"),
130       png_fixed(png_ptr, blue_Y, "cHRM Red Y"),
131       png_fixed(png_ptr, blue_Z, "cHRM Red Z"));
132 }
133 #  endif /* FLOATING_POINT */
134 
135 #endif /* cHRM */
136 
137 #ifdef PNG_gAMA_SUPPORTED
138 void PNGFAPI
png_set_gAMA_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point file_gamma)139 png_set_gAMA_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
140     png_fixed_point file_gamma)
141 {
142    png_debug1(1, "in %s storage function", "gAMA");
143 
144    if (png_ptr == NULL || info_ptr == NULL)
145       return;
146 
147    png_colorspace_set_gamma(png_ptr, &info_ptr->colorspace, file_gamma);
148    png_colorspace_sync_info(png_ptr, info_ptr);
149 }
150 
151 #  ifdef PNG_FLOATING_POINT_SUPPORTED
152 void PNGAPI
png_set_gAMA(png_const_structrp png_ptr,png_inforp info_ptr,double file_gamma)153 png_set_gAMA(png_const_structrp png_ptr, png_inforp info_ptr, double file_gamma)
154 {
155    png_set_gAMA_fixed(png_ptr, info_ptr, png_fixed(png_ptr, file_gamma,
156        "png_set_gAMA"));
157 }
158 #  endif
159 #endif
160 
161 #ifdef PNG_hIST_SUPPORTED
162 void PNGAPI
png_set_hIST(png_const_structrp png_ptr,png_inforp info_ptr,png_const_uint_16p hist)163 png_set_hIST(png_const_structrp png_ptr, png_inforp info_ptr,
164     png_const_uint_16p hist)
165 {
166    int i;
167 
168    png_debug1(1, "in %s storage function", "hIST");
169 
170    if (png_ptr == NULL || info_ptr == NULL)
171       return;
172 
173    if (info_ptr->num_palette == 0 || info_ptr->num_palette
174        > PNG_MAX_PALETTE_LENGTH)
175    {
176       png_warning(png_ptr,
177           "Invalid palette size, hIST allocation skipped");
178 
179       return;
180    }
181 
182    png_free_data(png_ptr, info_ptr, PNG_FREE_HIST, 0);
183 
184    /* Changed from info->num_palette to PNG_MAX_PALETTE_LENGTH in
185     * version 1.2.1
186     */
187    info_ptr->hist = png_voidcast(png_uint_16p, png_malloc_warn(png_ptr,
188        PNG_MAX_PALETTE_LENGTH * (sizeof (png_uint_16))));
189 
190    if (info_ptr->hist == NULL)
191    {
192       png_warning(png_ptr, "Insufficient memory for hIST chunk data");
193 
194       return;
195    }
196 
197    info_ptr->free_me |= PNG_FREE_HIST;
198 
199    for (i = 0; i < info_ptr->num_palette; i++)
200       info_ptr->hist[i] = hist[i];
201 
202    info_ptr->valid |= PNG_INFO_hIST;
203 }
204 #endif
205 
206 void PNGAPI
png_set_IHDR(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 width,png_uint_32 height,int bit_depth,int color_type,int interlace_type,int compression_type,int filter_type)207 png_set_IHDR(png_const_structrp png_ptr, png_inforp info_ptr,
208     png_uint_32 width, png_uint_32 height, int bit_depth,
209     int color_type, int interlace_type, int compression_type,
210     int filter_type)
211 {
212    png_debug1(1, "in %s storage function", "IHDR");
213 
214    if (png_ptr == NULL || info_ptr == NULL)
215       return;
216 
217    info_ptr->width = width;
218    info_ptr->height = height;
219    info_ptr->bit_depth = (png_byte)bit_depth;
220    info_ptr->color_type = (png_byte)color_type;
221    info_ptr->compression_type = (png_byte)compression_type;
222    info_ptr->filter_type = (png_byte)filter_type;
223    info_ptr->interlace_type = (png_byte)interlace_type;
224 
225    png_check_IHDR (png_ptr, info_ptr->width, info_ptr->height,
226        info_ptr->bit_depth, info_ptr->color_type, info_ptr->interlace_type,
227        info_ptr->compression_type, info_ptr->filter_type);
228 
229    if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
230       info_ptr->channels = 1;
231 
232    else if ((info_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
233       info_ptr->channels = 3;
234 
235    else
236       info_ptr->channels = 1;
237 
238    if ((info_ptr->color_type & PNG_COLOR_MASK_ALPHA) != 0)
239       info_ptr->channels++;
240 
241    info_ptr->pixel_depth = (png_byte)(info_ptr->channels * info_ptr->bit_depth);
242 
243    info_ptr->rowbytes = PNG_ROWBYTES(info_ptr->pixel_depth, width);
244 }
245 
246 #ifdef PNG_oFFs_SUPPORTED
247 void PNGAPI
png_set_oFFs(png_const_structrp png_ptr,png_inforp info_ptr,png_int_32 offset_x,png_int_32 offset_y,int unit_type)248 png_set_oFFs(png_const_structrp png_ptr, png_inforp info_ptr,
249     png_int_32 offset_x, png_int_32 offset_y, int unit_type)
250 {
251    png_debug1(1, "in %s storage function", "oFFs");
252 
253    if (png_ptr == NULL || info_ptr == NULL)
254       return;
255 
256    info_ptr->x_offset = offset_x;
257    info_ptr->y_offset = offset_y;
258    info_ptr->offset_unit_type = (png_byte)unit_type;
259    info_ptr->valid |= PNG_INFO_oFFs;
260 }
261 #endif
262 
263 #ifdef PNG_pCAL_SUPPORTED
264 void PNGAPI
png_set_pCAL(png_const_structrp png_ptr,png_inforp info_ptr,png_const_charp purpose,png_int_32 X0,png_int_32 X1,int type,int nparams,png_const_charp units,png_charpp params)265 png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr,
266     png_const_charp purpose, png_int_32 X0, png_int_32 X1, int type,
267     int nparams, png_const_charp units, png_charpp params)
268 {
269    png_size_t length;
270    int i;
271 
272    png_debug1(1, "in %s storage function", "pCAL");
273 
274    if (png_ptr == NULL || info_ptr == NULL || purpose == NULL || units == NULL
275        || (nparams > 0 && params == NULL))
276       return;
277 
278    length = strlen(purpose) + 1;
279    png_debug1(3, "allocating purpose for info (%lu bytes)",
280        (unsigned long)length);
281 
282    /* TODO: validate format of calibration name and unit name */
283 
284    /* Check that the type matches the specification. */
285    if (type < 0 || type > 3)
286       png_error(png_ptr, "Invalid pCAL equation type");
287 
288    if (nparams < 0 || nparams > 255)
289       png_error(png_ptr, "Invalid pCAL parameter count");
290 
291    /* Validate params[nparams] */
292    for (i=0; i<nparams; ++i)
293    {
294       if (params[i] == NULL ||
295           !png_check_fp_string(params[i], strlen(params[i])))
296          png_error(png_ptr, "Invalid format for pCAL parameter");
297    }
298 
299    info_ptr->pcal_purpose = png_voidcast(png_charp,
300        png_malloc_warn(png_ptr, length));
301 
302    if (info_ptr->pcal_purpose == NULL)
303    {
304       png_warning(png_ptr, "Insufficient memory for pCAL purpose");
305 
306       return;
307    }
308 
309    memcpy(info_ptr->pcal_purpose, purpose, length);
310 
311    png_debug(3, "storing X0, X1, type, and nparams in info");
312    info_ptr->pcal_X0 = X0;
313    info_ptr->pcal_X1 = X1;
314    info_ptr->pcal_type = (png_byte)type;
315    info_ptr->pcal_nparams = (png_byte)nparams;
316 
317    length = strlen(units) + 1;
318    png_debug1(3, "allocating units for info (%lu bytes)",
319      (unsigned long)length);
320 
321    info_ptr->pcal_units = png_voidcast(png_charp,
322       png_malloc_warn(png_ptr, length));
323 
324    if (info_ptr->pcal_units == NULL)
325    {
326       png_warning(png_ptr, "Insufficient memory for pCAL units");
327 
328       return;
329    }
330 
331    memcpy(info_ptr->pcal_units, units, length);
332 
333    info_ptr->pcal_params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
334        (png_size_t)((nparams + 1) * (sizeof (png_charp)))));
335 
336    if (info_ptr->pcal_params == NULL)
337    {
338       png_warning(png_ptr, "Insufficient memory for pCAL params");
339 
340       return;
341    }
342 
343    memset(info_ptr->pcal_params, 0, (nparams + 1) * (sizeof (png_charp)));
344 
345    for (i = 0; i < nparams; i++)
346    {
347       length = strlen(params[i]) + 1;
348       png_debug2(3, "allocating parameter %d for info (%lu bytes)", i,
349           (unsigned long)length);
350 
351       info_ptr->pcal_params[i] = (png_charp)png_malloc_warn(png_ptr, length);
352 
353       if (info_ptr->pcal_params[i] == NULL)
354       {
355          png_warning(png_ptr, "Insufficient memory for pCAL parameter");
356 
357          return;
358       }
359 
360       memcpy(info_ptr->pcal_params[i], params[i], length);
361    }
362 
363    info_ptr->valid |= PNG_INFO_pCAL;
364    info_ptr->free_me |= PNG_FREE_PCAL;
365 }
366 #endif
367 
368 #ifdef PNG_sCAL_SUPPORTED
369 void PNGAPI
png_set_sCAL_s(png_const_structrp png_ptr,png_inforp info_ptr,int unit,png_const_charp swidth,png_const_charp sheight)370 png_set_sCAL_s(png_const_structrp png_ptr, png_inforp info_ptr,
371     int unit, png_const_charp swidth, png_const_charp sheight)
372 {
373    png_size_t lengthw = 0, lengthh = 0;
374 
375    png_debug1(1, "in %s storage function", "sCAL");
376 
377    if (png_ptr == NULL || info_ptr == NULL)
378       return;
379 
380    /* Double check the unit (should never get here with an invalid
381     * unit unless this is an API call.)
382     */
383    if (unit != 1 && unit != 2)
384       png_error(png_ptr, "Invalid sCAL unit");
385 
386    if (swidth == NULL || (lengthw = strlen(swidth)) == 0 ||
387        swidth[0] == 45 /* '-' */ || !png_check_fp_string(swidth, lengthw))
388       png_error(png_ptr, "Invalid sCAL width");
389 
390    if (sheight == NULL || (lengthh = strlen(sheight)) == 0 ||
391        sheight[0] == 45 /* '-' */ || !png_check_fp_string(sheight, lengthh))
392       png_error(png_ptr, "Invalid sCAL height");
393 
394    info_ptr->scal_unit = (png_byte)unit;
395 
396    ++lengthw;
397 
398    png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthw);
399 
400    info_ptr->scal_s_width = png_voidcast(png_charp,
401       png_malloc_warn(png_ptr, lengthw));
402 
403    if (info_ptr->scal_s_width == NULL)
404    {
405       png_warning(png_ptr, "Memory allocation failed while processing sCAL");
406 
407       return;
408    }
409 
410    memcpy(info_ptr->scal_s_width, swidth, lengthw);
411 
412    ++lengthh;
413 
414    png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthh);
415 
416    info_ptr->scal_s_height = png_voidcast(png_charp,
417       png_malloc_warn(png_ptr, lengthh));
418 
419    if (info_ptr->scal_s_height == NULL)
420    {
421       png_free (png_ptr, info_ptr->scal_s_width);
422       info_ptr->scal_s_width = NULL;
423 
424       png_warning(png_ptr, "Memory allocation failed while processing sCAL");
425 
426       return;
427    }
428 
429    memcpy(info_ptr->scal_s_height, sheight, lengthh);
430 
431    info_ptr->valid |= PNG_INFO_sCAL;
432    info_ptr->free_me |= PNG_FREE_SCAL;
433 }
434 
435 #  ifdef PNG_FLOATING_POINT_SUPPORTED
436 void PNGAPI
png_set_sCAL(png_const_structrp png_ptr,png_inforp info_ptr,int unit,double width,double height)437 png_set_sCAL(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
438     double width, double height)
439 {
440    png_debug1(1, "in %s storage function", "sCAL");
441 
442    /* Check the arguments. */
443    if (width <= 0)
444       png_warning(png_ptr, "Invalid sCAL width ignored");
445 
446    else if (height <= 0)
447       png_warning(png_ptr, "Invalid sCAL height ignored");
448 
449    else
450    {
451       /* Convert 'width' and 'height' to ASCII. */
452       char swidth[PNG_sCAL_MAX_DIGITS+1];
453       char sheight[PNG_sCAL_MAX_DIGITS+1];
454 
455       png_ascii_from_fp(png_ptr, swidth, (sizeof swidth), width,
456          PNG_sCAL_PRECISION);
457       png_ascii_from_fp(png_ptr, sheight, (sizeof sheight), height,
458          PNG_sCAL_PRECISION);
459 
460       png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
461    }
462 }
463 #  endif
464 
465 #  ifdef PNG_FIXED_POINT_SUPPORTED
466 void PNGAPI
png_set_sCAL_fixed(png_const_structrp png_ptr,png_inforp info_ptr,int unit,png_fixed_point width,png_fixed_point height)467 png_set_sCAL_fixed(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
468     png_fixed_point width, png_fixed_point height)
469 {
470    png_debug1(1, "in %s storage function", "sCAL");
471 
472    /* Check the arguments. */
473    if (width <= 0)
474       png_warning(png_ptr, "Invalid sCAL width ignored");
475 
476    else if (height <= 0)
477       png_warning(png_ptr, "Invalid sCAL height ignored");
478 
479    else
480    {
481       /* Convert 'width' and 'height' to ASCII. */
482       char swidth[PNG_sCAL_MAX_DIGITS+1];
483       char sheight[PNG_sCAL_MAX_DIGITS+1];
484 
485       png_ascii_from_fixed(png_ptr, swidth, (sizeof swidth), width);
486       png_ascii_from_fixed(png_ptr, sheight, (sizeof sheight), height);
487 
488       png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
489    }
490 }
491 #  endif
492 #endif
493 
494 #ifdef PNG_pHYs_SUPPORTED
495 void PNGAPI
png_set_pHYs(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 res_x,png_uint_32 res_y,int unit_type)496 png_set_pHYs(png_const_structrp png_ptr, png_inforp info_ptr,
497     png_uint_32 res_x, png_uint_32 res_y, int unit_type)
498 {
499    png_debug1(1, "in %s storage function", "pHYs");
500 
501    if (png_ptr == NULL || info_ptr == NULL)
502       return;
503 
504    info_ptr->x_pixels_per_unit = res_x;
505    info_ptr->y_pixels_per_unit = res_y;
506    info_ptr->phys_unit_type = (png_byte)unit_type;
507    info_ptr->valid |= PNG_INFO_pHYs;
508 }
509 #endif
510 
511 void PNGAPI
png_set_PLTE(png_structrp png_ptr,png_inforp info_ptr,png_const_colorp palette,int num_palette)512 png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
513     png_const_colorp palette, int num_palette)
514 {
515 
516    png_debug1(1, "in %s storage function", "PLTE");
517 
518    if (png_ptr == NULL || info_ptr == NULL)
519       return;
520 
521    if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
522    {
523       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
524          png_error(png_ptr, "Invalid palette length");
525 
526       else
527       {
528          png_warning(png_ptr, "Invalid palette length");
529 
530          return;
531       }
532    }
533 
534    if ((num_palette > 0 && palette == NULL) ||
535       (num_palette == 0
536 #        ifdef PNG_MNG_FEATURES_SUPPORTED
537             && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0
538 #        endif
539       ))
540    {
541       png_error(png_ptr, "Invalid palette");
542    }
543 
544    /* It may not actually be necessary to set png_ptr->palette here;
545     * we do it for backward compatibility with the way the png_handle_tRNS
546     * function used to do the allocation.
547     *
548     * 1.6.0: the above statement appears to be incorrect; something has to set
549     * the palette inside png_struct on read.
550     */
551    png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
552 
553    /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
554     * of num_palette entries, in case of an invalid PNG file that has
555     * too-large sample values.
556     */
557    png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
558        PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
559 
560    if (num_palette > 0)
561       memcpy(png_ptr->palette, palette, num_palette * (sizeof (png_color)));
562    info_ptr->palette = png_ptr->palette;
563    info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
564 
565    info_ptr->free_me |= PNG_FREE_PLTE;
566 
567    info_ptr->valid |= PNG_INFO_PLTE;
568 }
569 
570 #ifdef PNG_sBIT_SUPPORTED
571 void PNGAPI
png_set_sBIT(png_const_structrp png_ptr,png_inforp info_ptr,png_const_color_8p sig_bit)572 png_set_sBIT(png_const_structrp png_ptr, png_inforp info_ptr,
573     png_const_color_8p sig_bit)
574 {
575    png_debug1(1, "in %s storage function", "sBIT");
576 
577    if (png_ptr == NULL || info_ptr == NULL || sig_bit == NULL)
578       return;
579 
580    info_ptr->sig_bit = *sig_bit;
581    info_ptr->valid |= PNG_INFO_sBIT;
582 }
583 #endif
584 
585 #ifdef PNG_sRGB_SUPPORTED
586 void PNGAPI
png_set_sRGB(png_const_structrp png_ptr,png_inforp info_ptr,int srgb_intent)587 png_set_sRGB(png_const_structrp png_ptr, png_inforp info_ptr, int srgb_intent)
588 {
589    png_debug1(1, "in %s storage function", "sRGB");
590 
591    if (png_ptr == NULL || info_ptr == NULL)
592       return;
593 
594    (void)png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace, srgb_intent);
595    png_colorspace_sync_info(png_ptr, info_ptr);
596 }
597 
598 void PNGAPI
png_set_sRGB_gAMA_and_cHRM(png_const_structrp png_ptr,png_inforp info_ptr,int srgb_intent)599 png_set_sRGB_gAMA_and_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
600     int srgb_intent)
601 {
602    png_debug1(1, "in %s storage function", "sRGB_gAMA_and_cHRM");
603 
604    if (png_ptr == NULL || info_ptr == NULL)
605       return;
606 
607    if (png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace,
608        srgb_intent) != 0)
609    {
610       /* This causes the gAMA and cHRM to be written too */
611       info_ptr->colorspace.flags |=
612          PNG_COLORSPACE_FROM_gAMA|PNG_COLORSPACE_FROM_cHRM;
613    }
614 
615    png_colorspace_sync_info(png_ptr, info_ptr);
616 }
617 #endif /* sRGB */
618 
619 
620 #ifdef PNG_iCCP_SUPPORTED
621 void PNGAPI
png_set_iCCP(png_const_structrp png_ptr,png_inforp info_ptr,png_const_charp name,int compression_type,png_const_bytep profile,png_uint_32 proflen)622 png_set_iCCP(png_const_structrp png_ptr, png_inforp info_ptr,
623     png_const_charp name, int compression_type,
624     png_const_bytep profile, png_uint_32 proflen)
625 {
626    png_charp new_iccp_name;
627    png_bytep new_iccp_profile;
628    png_size_t length;
629 
630    png_debug1(1, "in %s storage function", "iCCP");
631 
632    if (png_ptr == NULL || info_ptr == NULL || name == NULL || profile == NULL)
633       return;
634 
635    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
636       png_app_error(png_ptr, "Invalid iCCP compression method");
637 
638    /* Set the colorspace first because this validates the profile; do not
639     * override previously set app cHRM or gAMA here (because likely as not the
640     * application knows better than libpng what the correct values are.)  Pass
641     * the info_ptr color_type field to png_colorspace_set_ICC because in the
642     * write case it has not yet been stored in png_ptr.
643     */
644    {
645       int result = png_colorspace_set_ICC(png_ptr, &info_ptr->colorspace, name,
646          proflen, profile, info_ptr->color_type);
647 
648       png_colorspace_sync_info(png_ptr, info_ptr);
649 
650       /* Don't do any of the copying if the profile was bad, or inconsistent. */
651       if (result == 0)
652          return;
653 
654       /* But do write the gAMA and cHRM chunks from the profile. */
655       info_ptr->colorspace.flags |=
656          PNG_COLORSPACE_FROM_gAMA|PNG_COLORSPACE_FROM_cHRM;
657    }
658 
659    length = strlen(name)+1;
660    new_iccp_name = png_voidcast(png_charp, png_malloc_warn(png_ptr, length));
661 
662    if (new_iccp_name == NULL)
663    {
664       png_benign_error(png_ptr, "Insufficient memory to process iCCP chunk");
665 
666       return;
667    }
668 
669    memcpy(new_iccp_name, name, length);
670    new_iccp_profile = png_voidcast(png_bytep,
671       png_malloc_warn(png_ptr, proflen));
672 
673    if (new_iccp_profile == NULL)
674    {
675       png_free(png_ptr, new_iccp_name);
676       png_benign_error(png_ptr,
677           "Insufficient memory to process iCCP profile");
678 
679       return;
680    }
681 
682    memcpy(new_iccp_profile, profile, proflen);
683 
684    png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, 0);
685 
686    info_ptr->iccp_proflen = proflen;
687    info_ptr->iccp_name = new_iccp_name;
688    info_ptr->iccp_profile = new_iccp_profile;
689    info_ptr->free_me |= PNG_FREE_ICCP;
690    info_ptr->valid |= PNG_INFO_iCCP;
691 }
692 #endif
693 
694 #ifdef PNG_TEXT_SUPPORTED
695 void PNGAPI
png_set_text(png_const_structrp png_ptr,png_inforp info_ptr,png_const_textp text_ptr,int num_text)696 png_set_text(png_const_structrp png_ptr, png_inforp info_ptr,
697     png_const_textp text_ptr, int num_text)
698 {
699    int ret;
700    ret = png_set_text_2(png_ptr, info_ptr, text_ptr, num_text);
701 
702    if (ret != 0)
703       png_error(png_ptr, "Insufficient memory to store text");
704 }
705 
706 int /* PRIVATE */
png_set_text_2(png_const_structrp png_ptr,png_inforp info_ptr,png_const_textp text_ptr,int num_text)707 png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
708     png_const_textp text_ptr, int num_text)
709 {
710    int i;
711 
712    png_debug1(1, "in %lx storage function", png_ptr == NULL ? 0xabadca11 :
713       (unsigned long)png_ptr->chunk_name);
714 
715    if (png_ptr == NULL || info_ptr == NULL || num_text <= 0 || text_ptr == NULL)
716       return(0);
717 
718    /* Make sure we have enough space in the "text" array in info_struct
719     * to hold all of the incoming text_ptr objects.  This compare can't overflow
720     * because max_text >= num_text (anyway, subtract of two positive integers
721     * can't overflow in any case.)
722     */
723    if (num_text > info_ptr->max_text - info_ptr->num_text)
724    {
725       int old_num_text = info_ptr->num_text;
726       int max_text;
727       png_textp new_text = NULL;
728 
729       /* Calculate an appropriate max_text, checking for overflow. */
730       max_text = old_num_text;
731       if (num_text <= INT_MAX - max_text)
732       {
733          max_text += num_text;
734 
735          /* Round up to a multiple of 8 */
736          if (max_text < INT_MAX-8)
737             max_text = (max_text + 8) & ~0x7;
738 
739          else
740             max_text = INT_MAX;
741 
742          /* Now allocate a new array and copy the old members in; this does all
743           * the overflow checks.
744           */
745          new_text = png_voidcast(png_textp,png_realloc_array(png_ptr,
746             info_ptr->text, old_num_text, max_text-old_num_text,
747             sizeof *new_text));
748       }
749 
750       if (new_text == NULL)
751       {
752          png_chunk_report(png_ptr, "too many text chunks",
753             PNG_CHUNK_WRITE_ERROR);
754 
755          return 1;
756       }
757 
758       png_free(png_ptr, info_ptr->text);
759 
760       info_ptr->text = new_text;
761       info_ptr->free_me |= PNG_FREE_TEXT;
762       info_ptr->max_text = max_text;
763       /* num_text is adjusted below as the entries are copied in */
764 
765       png_debug1(3, "allocated %d entries for info_ptr->text", max_text);
766    }
767 
768    for (i = 0; i < num_text; i++)
769    {
770       size_t text_length, key_len;
771       size_t lang_len, lang_key_len;
772       png_textp textp = &(info_ptr->text[info_ptr->num_text]);
773 
774       if (text_ptr[i].key == NULL)
775           continue;
776 
777       if (text_ptr[i].compression < PNG_TEXT_COMPRESSION_NONE ||
778           text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST)
779       {
780          png_chunk_report(png_ptr, "text compression mode is out of range",
781             PNG_CHUNK_WRITE_ERROR);
782          continue;
783       }
784 
785       key_len = strlen(text_ptr[i].key);
786 
787       if (text_ptr[i].compression <= 0)
788       {
789          lang_len = 0;
790          lang_key_len = 0;
791       }
792 
793       else
794 #  ifdef PNG_iTXt_SUPPORTED
795       {
796          /* Set iTXt data */
797 
798          if (text_ptr[i].lang != NULL)
799             lang_len = strlen(text_ptr[i].lang);
800 
801          else
802             lang_len = 0;
803 
804          if (text_ptr[i].lang_key != NULL)
805             lang_key_len = strlen(text_ptr[i].lang_key);
806 
807          else
808             lang_key_len = 0;
809       }
810 #  else /* iTXt */
811       {
812          png_chunk_report(png_ptr, "iTXt chunk not supported",
813             PNG_CHUNK_WRITE_ERROR);
814          continue;
815       }
816 #  endif
817 
818       if (text_ptr[i].text == NULL || text_ptr[i].text[0] == '\0')
819       {
820          text_length = 0;
821 #  ifdef PNG_iTXt_SUPPORTED
822          if (text_ptr[i].compression > 0)
823             textp->compression = PNG_ITXT_COMPRESSION_NONE;
824 
825          else
826 #  endif
827             textp->compression = PNG_TEXT_COMPRESSION_NONE;
828       }
829 
830       else
831       {
832          text_length = strlen(text_ptr[i].text);
833          textp->compression = text_ptr[i].compression;
834       }
835 
836       textp->key = png_voidcast(png_charp,png_malloc_base(png_ptr,
837           key_len + text_length + lang_len + lang_key_len + 4));
838 
839       if (textp->key == NULL)
840       {
841          png_chunk_report(png_ptr, "text chunk: out of memory",
842                PNG_CHUNK_WRITE_ERROR);
843 
844          return 1;
845       }
846 
847       png_debug2(2, "Allocated %lu bytes at %p in png_set_text",
848           (unsigned long)(png_uint_32)
849           (key_len + lang_len + lang_key_len + text_length + 4),
850           textp->key);
851 
852       memcpy(textp->key, text_ptr[i].key, key_len);
853       *(textp->key + key_len) = '\0';
854 
855       if (text_ptr[i].compression > 0)
856       {
857          textp->lang = textp->key + key_len + 1;
858          memcpy(textp->lang, text_ptr[i].lang, lang_len);
859          *(textp->lang + lang_len) = '\0';
860          textp->lang_key = textp->lang + lang_len + 1;
861          memcpy(textp->lang_key, text_ptr[i].lang_key, lang_key_len);
862          *(textp->lang_key + lang_key_len) = '\0';
863          textp->text = textp->lang_key + lang_key_len + 1;
864       }
865 
866       else
867       {
868          textp->lang=NULL;
869          textp->lang_key=NULL;
870          textp->text = textp->key + key_len + 1;
871       }
872 
873       if (text_length != 0)
874          memcpy(textp->text, text_ptr[i].text, text_length);
875 
876       *(textp->text + text_length) = '\0';
877 
878 #  ifdef PNG_iTXt_SUPPORTED
879       if (textp->compression > 0)
880       {
881          textp->text_length = 0;
882          textp->itxt_length = text_length;
883       }
884 
885       else
886 #  endif
887       {
888          textp->text_length = text_length;
889          textp->itxt_length = 0;
890       }
891 
892       info_ptr->num_text++;
893       png_debug1(3, "transferred text chunk %d", info_ptr->num_text);
894    }
895 
896    return(0);
897 }
898 #endif
899 
900 #ifdef PNG_tIME_SUPPORTED
901 void PNGAPI
png_set_tIME(png_const_structrp png_ptr,png_inforp info_ptr,png_const_timep mod_time)902 png_set_tIME(png_const_structrp png_ptr, png_inforp info_ptr,
903     png_const_timep mod_time)
904 {
905    png_debug1(1, "in %s storage function", "tIME");
906 
907    if (png_ptr == NULL || info_ptr == NULL || mod_time == NULL ||
908        (png_ptr->mode & PNG_WROTE_tIME) != 0)
909       return;
910 
911    if (mod_time->month == 0   || mod_time->month > 12  ||
912        mod_time->day   == 0   || mod_time->day   > 31  ||
913        mod_time->hour  > 23   || mod_time->minute > 59 ||
914        mod_time->second > 60)
915    {
916       png_warning(png_ptr, "Ignoring invalid time value");
917 
918       return;
919    }
920 
921    info_ptr->mod_time = *mod_time;
922    info_ptr->valid |= PNG_INFO_tIME;
923 }
924 #endif
925 
926 #ifdef PNG_tRNS_SUPPORTED
927 void PNGAPI
png_set_tRNS(png_structrp png_ptr,png_inforp info_ptr,png_const_bytep trans_alpha,int num_trans,png_const_color_16p trans_color)928 png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr,
929     png_const_bytep trans_alpha, int num_trans, png_const_color_16p trans_color)
930 {
931    png_debug1(1, "in %s storage function", "tRNS");
932 
933    if (png_ptr == NULL || info_ptr == NULL)
934 
935       return;
936 
937    if (trans_alpha != NULL)
938    {
939        /* It may not actually be necessary to set png_ptr->trans_alpha here;
940         * we do it for backward compatibility with the way the png_handle_tRNS
941         * function used to do the allocation.
942         *
943         * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
944         * relies on png_set_tRNS storing the information in png_struct
945         * (otherwise it won't be there for the code in pngrtran.c).
946         */
947 
948        png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
949 
950        /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
951        png_ptr->trans_alpha = info_ptr->trans_alpha = png_voidcast(png_bytep,
952          png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
953 
954        if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
955           memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans);
956    }
957 
958    if (trans_color != NULL)
959    {
960 #ifdef PNG_WARNINGS_SUPPORTED
961       if (info_ptr->bit_depth < 16)
962       {
963          int sample_max = (1 << info_ptr->bit_depth) - 1;
964 
965          if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
966              trans_color->gray > sample_max) ||
967              (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
968              (trans_color->red > sample_max ||
969              trans_color->green > sample_max ||
970              trans_color->blue > sample_max)))
971             png_warning(png_ptr,
972                "tRNS chunk has out-of-range samples for bit_depth");
973       }
974 #endif
975 
976       info_ptr->trans_color = *trans_color;
977 
978       if (num_trans == 0)
979          num_trans = 1;
980    }
981 
982    info_ptr->num_trans = (png_uint_16)num_trans;
983 
984    if (num_trans != 0)
985    {
986       info_ptr->valid |= PNG_INFO_tRNS;
987       info_ptr->free_me |= PNG_FREE_TRNS;
988    }
989 }
990 #endif
991 
992 #ifdef PNG_sPLT_SUPPORTED
993 void PNGAPI
png_set_sPLT(png_const_structrp png_ptr,png_inforp info_ptr,png_const_sPLT_tp entries,int nentries)994 png_set_sPLT(png_const_structrp png_ptr,
995     png_inforp info_ptr, png_const_sPLT_tp entries, int nentries)
996 /*
997  *  entries        - array of png_sPLT_t structures
998  *                   to be added to the list of palettes
999  *                   in the info structure.
1000  *
1001  *  nentries       - number of palette structures to be
1002  *                   added.
1003  */
1004 {
1005    png_sPLT_tp np;
1006 
1007    if (png_ptr == NULL || info_ptr == NULL || nentries <= 0 || entries == NULL)
1008       return;
1009 
1010    /* Use the internal realloc function, which checks for all the possible
1011     * overflows.  Notice that the parameters are (int) and (size_t)
1012     */
1013    np = png_voidcast(png_sPLT_tp,png_realloc_array(png_ptr,
1014       info_ptr->splt_palettes, info_ptr->splt_palettes_num, nentries,
1015       sizeof *np));
1016 
1017    if (np == NULL)
1018    {
1019       /* Out of memory or too many chunks */
1020       png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR);
1021 
1022       return;
1023    }
1024 
1025    png_free(png_ptr, info_ptr->splt_palettes);
1026    info_ptr->splt_palettes = np;
1027    info_ptr->free_me |= PNG_FREE_SPLT;
1028 
1029    np += info_ptr->splt_palettes_num;
1030 
1031    do
1032    {
1033       png_size_t length;
1034 
1035       /* Skip invalid input entries */
1036       if (entries->name == NULL || entries->entries == NULL)
1037       {
1038          /* png_handle_sPLT doesn't do this, so this is an app error */
1039          png_app_error(png_ptr, "png_set_sPLT: invalid sPLT");
1040          /* Just skip the invalid entry */
1041          continue;
1042       }
1043 
1044       np->depth = entries->depth;
1045 
1046       /* In the event of out-of-memory just return - there's no point keeping
1047        * on trying to add sPLT chunks.
1048        */
1049       length = strlen(entries->name) + 1;
1050       np->name = png_voidcast(png_charp, png_malloc_base(png_ptr, length));
1051 
1052       if (np->name == NULL)
1053          break;
1054 
1055       memcpy(np->name, entries->name, length);
1056 
1057       /* IMPORTANT: we have memory now that won't get freed if something else
1058        * goes wrong; this code must free it.  png_malloc_array produces no
1059        * warnings; use a png_chunk_report (below) if there is an error.
1060        */
1061       np->entries = png_voidcast(png_sPLT_entryp, png_malloc_array(png_ptr,
1062           entries->nentries, sizeof (png_sPLT_entry)));
1063 
1064       if (np->entries == NULL)
1065       {
1066          png_free(png_ptr, np->name);
1067          np->name = NULL;
1068          break;
1069       }
1070 
1071       np->nentries = entries->nentries;
1072       /* This multiply can't overflow because png_malloc_array has already
1073        * checked it when doing the allocation.
1074        */
1075       memcpy(np->entries, entries->entries,
1076          entries->nentries * sizeof (png_sPLT_entry));
1077 
1078       /* Note that 'continue' skips the advance of the out pointer and out
1079        * count, so an invalid entry is not added.
1080        */
1081       info_ptr->valid |= PNG_INFO_sPLT;
1082       ++(info_ptr->splt_palettes_num);
1083       ++np;
1084    }
1085    while (++entries, --nentries);
1086 
1087    if (nentries > 0)
1088       png_chunk_report(png_ptr, "sPLT out of memory", PNG_CHUNK_WRITE_ERROR);
1089 }
1090 #endif /* sPLT */
1091 
1092 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
1093 static png_byte
check_location(png_const_structrp png_ptr,int location)1094 check_location(png_const_structrp png_ptr, int location)
1095 {
1096    location &= (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT);
1097 
1098    /* New in 1.6.0; copy the location and check it.  This is an API
1099     * change; previously the app had to use the
1100     * png_set_unknown_chunk_location API below for each chunk.
1101     */
1102    if (location == 0 && (png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1103    {
1104       /* Write struct, so unknown chunks come from the app */
1105       png_app_warning(png_ptr,
1106          "png_set_unknown_chunks now expects a valid location");
1107       /* Use the old behavior */
1108       location = (png_byte)(png_ptr->mode &
1109          (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT));
1110    }
1111 
1112    /* This need not be an internal error - if the app calls
1113     * png_set_unknown_chunks on a read pointer it must get the location right.
1114     */
1115    if (location == 0)
1116       png_error(png_ptr, "invalid location in png_set_unknown_chunks");
1117 
1118    /* Now reduce the location to the top-most set bit by removing each least
1119     * significant bit in turn.
1120     */
1121    while (location != (location & -location))
1122       location &= ~(location & -location);
1123 
1124    /* The cast is safe because 'location' is a bit mask and only the low four
1125     * bits are significant.
1126     */
1127    return (png_byte)location;
1128 }
1129 
1130 void PNGAPI
png_set_unknown_chunks(png_const_structrp png_ptr,png_inforp info_ptr,png_const_unknown_chunkp unknowns,int num_unknowns)1131 png_set_unknown_chunks(png_const_structrp png_ptr,
1132    png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns)
1133 {
1134    png_unknown_chunkp np;
1135 
1136    if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0 ||
1137        unknowns == NULL)
1138       return;
1139 
1140    /* Check for the failure cases where support has been disabled at compile
1141     * time.  This code is hardly ever compiled - it's here because
1142     * STORE_UNKNOWN_CHUNKS is set by both read and write code (compiling in this
1143     * code) but may be meaningless if the read or write handling of unknown
1144     * chunks is not compiled in.
1145     */
1146 #  if !defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) && \
1147       defined(PNG_READ_SUPPORTED)
1148       if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1149       {
1150          png_app_error(png_ptr, "no unknown chunk support on read");
1151 
1152          return;
1153       }
1154 #  endif
1155 #  if !defined(PNG_WRITE_UNKNOWN_CHUNKS_SUPPORTED) && \
1156       defined(PNG_WRITE_SUPPORTED)
1157       if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1158       {
1159          png_app_error(png_ptr, "no unknown chunk support on write");
1160 
1161          return;
1162       }
1163 #  endif
1164 
1165    /* Prior to 1.6.0 this code used png_malloc_warn; however, this meant that
1166     * unknown critical chunks could be lost with just a warning resulting in
1167     * undefined behavior.  Now png_chunk_report is used to provide behavior
1168     * appropriate to read or write.
1169     */
1170    np = png_voidcast(png_unknown_chunkp, png_realloc_array(png_ptr,
1171          info_ptr->unknown_chunks, info_ptr->unknown_chunks_num, num_unknowns,
1172          sizeof *np));
1173 
1174    if (np == NULL)
1175    {
1176       png_chunk_report(png_ptr, "too many unknown chunks",
1177          PNG_CHUNK_WRITE_ERROR);
1178 
1179       return;
1180    }
1181 
1182    png_free(png_ptr, info_ptr->unknown_chunks);
1183    info_ptr->unknown_chunks = np; /* safe because it is initialized */
1184    info_ptr->free_me |= PNG_FREE_UNKN;
1185 
1186    np += info_ptr->unknown_chunks_num;
1187 
1188    /* Increment unknown_chunks_num each time round the loop to protect the
1189     * just-allocated chunk data.
1190     */
1191    for (; num_unknowns > 0; --num_unknowns, ++unknowns)
1192    {
1193       memcpy(np->name, unknowns->name, (sizeof np->name));
1194       np->name[(sizeof np->name)-1] = '\0';
1195       np->location = check_location(png_ptr, unknowns->location);
1196 
1197       if (unknowns->size == 0)
1198       {
1199          np->data = NULL;
1200          np->size = 0;
1201       }
1202 
1203       else
1204       {
1205          np->data = png_voidcast(png_bytep,
1206             png_malloc_base(png_ptr, unknowns->size));
1207 
1208          if (np->data == NULL)
1209          {
1210             png_chunk_report(png_ptr, "unknown chunk: out of memory",
1211                PNG_CHUNK_WRITE_ERROR);
1212             /* But just skip storing the unknown chunk */
1213             continue;
1214          }
1215 
1216          memcpy(np->data, unknowns->data, unknowns->size);
1217          np->size = unknowns->size;
1218       }
1219 
1220       /* These increments are skipped on out-of-memory for the data - the
1221        * unknown chunk entry gets overwritten if the png_chunk_report returns.
1222        * This is correct in the read case (the chunk is just dropped.)
1223        */
1224       ++np;
1225       ++(info_ptr->unknown_chunks_num);
1226    }
1227 }
1228 
1229 void PNGAPI
png_set_unknown_chunk_location(png_const_structrp png_ptr,png_inforp info_ptr,int chunk,int location)1230 png_set_unknown_chunk_location(png_const_structrp png_ptr, png_inforp info_ptr,
1231     int chunk, int location)
1232 {
1233    /* This API is pretty pointless in 1.6.0 because the location can be set
1234     * before the call to png_set_unknown_chunks.
1235     *
1236     * TODO: add a png_app_warning in 1.7
1237     */
1238    if (png_ptr != NULL && info_ptr != NULL && chunk >= 0 &&
1239       chunk < info_ptr->unknown_chunks_num)
1240    {
1241       if ((location & (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT)) == 0)
1242       {
1243          png_app_error(png_ptr, "invalid unknown chunk location");
1244          /* Fake out the pre 1.6.0 behavior: */
1245          if ((location & PNG_HAVE_IDAT) != 0) /* undocumented! */
1246             location = PNG_AFTER_IDAT;
1247 
1248          else
1249             location = PNG_HAVE_IHDR; /* also undocumented */
1250       }
1251 
1252       info_ptr->unknown_chunks[chunk].location =
1253          check_location(png_ptr, location);
1254    }
1255 }
1256 #endif /* STORE_UNKNOWN_CHUNKS */
1257 
1258 #ifdef PNG_MNG_FEATURES_SUPPORTED
1259 png_uint_32 PNGAPI
png_permit_mng_features(png_structrp png_ptr,png_uint_32 mng_features)1260 png_permit_mng_features (png_structrp png_ptr, png_uint_32 mng_features)
1261 {
1262    png_debug(1, "in png_permit_mng_features");
1263 
1264    if (png_ptr == NULL)
1265       return 0;
1266 
1267    png_ptr->mng_features_permitted = mng_features & PNG_ALL_MNG_FEATURES;
1268 
1269    return png_ptr->mng_features_permitted;
1270 }
1271 #endif
1272 
1273 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
1274 static unsigned int
add_one_chunk(png_bytep list,unsigned int count,png_const_bytep add,int keep)1275 add_one_chunk(png_bytep list, unsigned int count, png_const_bytep add, int keep)
1276 {
1277    unsigned int i;
1278 
1279    /* Utility function: update the 'keep' state of a chunk if it is already in
1280     * the list, otherwise add it to the list.
1281     */
1282    for (i=0; i<count; ++i, list += 5)
1283    {
1284       if (memcmp(list, add, 4) == 0)
1285       {
1286          list[4] = (png_byte)keep;
1287 
1288          return count;
1289       }
1290    }
1291 
1292    if (keep != PNG_HANDLE_CHUNK_AS_DEFAULT)
1293    {
1294       ++count;
1295       memcpy(list, add, 4);
1296       list[4] = (png_byte)keep;
1297    }
1298 
1299    return count;
1300 }
1301 
1302 void PNGAPI
png_set_keep_unknown_chunks(png_structrp png_ptr,int keep,png_const_bytep chunk_list,int num_chunks_in)1303 png_set_keep_unknown_chunks(png_structrp png_ptr, int keep,
1304     png_const_bytep chunk_list, int num_chunks_in)
1305 {
1306    png_bytep new_list;
1307    unsigned int num_chunks, old_num_chunks;
1308 
1309    if (png_ptr == NULL)
1310       return;
1311 
1312    if (keep < 0 || keep >= PNG_HANDLE_CHUNK_LAST)
1313    {
1314       png_app_error(png_ptr, "png_set_keep_unknown_chunks: invalid keep");
1315 
1316       return;
1317    }
1318 
1319    if (num_chunks_in <= 0)
1320    {
1321       png_ptr->unknown_default = keep;
1322 
1323       /* '0' means just set the flags, so stop here */
1324       if (num_chunks_in == 0)
1325         return;
1326    }
1327 
1328    if (num_chunks_in < 0)
1329    {
1330       /* Ignore all unknown chunks and all chunks recognized by
1331        * libpng except for IHDR, PLTE, tRNS, IDAT, and IEND
1332        */
1333       static PNG_CONST png_byte chunks_to_ignore[] = {
1334          98,  75,  71,  68, '\0',  /* bKGD */
1335          99,  72,  82,  77, '\0',  /* cHRM */
1336         103,  65,  77,  65, '\0',  /* gAMA */
1337         104,  73,  83,  84, '\0',  /* hIST */
1338         105,  67,  67,  80, '\0',  /* iCCP */
1339         105,  84,  88, 116, '\0',  /* iTXt */
1340         111,  70,  70, 115, '\0',  /* oFFs */
1341         112,  67,  65,  76, '\0',  /* pCAL */
1342         112,  72,  89, 115, '\0',  /* pHYs */
1343         115,  66,  73,  84, '\0',  /* sBIT */
1344         115,  67,  65,  76, '\0',  /* sCAL */
1345         115,  80,  76,  84, '\0',  /* sPLT */
1346         115,  84,  69,  82, '\0',  /* sTER */
1347         115,  82,  71,  66, '\0',  /* sRGB */
1348         116,  69,  88, 116, '\0',  /* tEXt */
1349         116,  73,  77,  69, '\0',  /* tIME */
1350         122,  84,  88, 116, '\0'   /* zTXt */
1351       };
1352 
1353       chunk_list = chunks_to_ignore;
1354       num_chunks = (unsigned int)/*SAFE*/(sizeof chunks_to_ignore)/5U;
1355    }
1356 
1357    else /* num_chunks_in > 0 */
1358    {
1359       if (chunk_list == NULL)
1360       {
1361          /* Prior to 1.6.0 this was silently ignored, now it is an app_error
1362           * which can be switched off.
1363           */
1364          png_app_error(png_ptr, "png_set_keep_unknown_chunks: no chunk list");
1365 
1366          return;
1367       }
1368 
1369       num_chunks = num_chunks_in;
1370    }
1371 
1372    old_num_chunks = png_ptr->num_chunk_list;
1373    if (png_ptr->chunk_list == NULL)
1374       old_num_chunks = 0;
1375 
1376    /* Since num_chunks is always restricted to UINT_MAX/5 this can't overflow.
1377     */
1378    if (num_chunks + old_num_chunks > UINT_MAX/5)
1379    {
1380       png_app_error(png_ptr, "png_set_keep_unknown_chunks: too many chunks");
1381 
1382       return;
1383    }
1384 
1385    /* If these chunks are being reset to the default then no more memory is
1386     * required because add_one_chunk above doesn't extend the list if the 'keep'
1387     * parameter is the default.
1388     */
1389    if (keep != 0)
1390    {
1391       new_list = png_voidcast(png_bytep, png_malloc(png_ptr,
1392           5 * (num_chunks + old_num_chunks)));
1393 
1394       if (old_num_chunks > 0)
1395          memcpy(new_list, png_ptr->chunk_list, 5*old_num_chunks);
1396    }
1397 
1398    else if (old_num_chunks > 0)
1399       new_list = png_ptr->chunk_list;
1400 
1401    else
1402       new_list = NULL;
1403 
1404    /* Add the new chunks together with each one's handling code.  If the chunk
1405     * already exists the code is updated, otherwise the chunk is added to the
1406     * end.  (In libpng 1.6.0 order no longer matters because this code enforces
1407     * the earlier convention that the last setting is the one that is used.)
1408     */
1409    if (new_list != NULL)
1410    {
1411       png_const_bytep inlist;
1412       png_bytep outlist;
1413       unsigned int i;
1414 
1415       for (i=0; i<num_chunks; ++i)
1416       {
1417          old_num_chunks = add_one_chunk(new_list, old_num_chunks,
1418             chunk_list+5*i, keep);
1419       }
1420 
1421       /* Now remove any spurious 'default' entries. */
1422       num_chunks = 0;
1423       for (i=0, inlist=outlist=new_list; i<old_num_chunks; ++i, inlist += 5)
1424       {
1425          if (inlist[4])
1426          {
1427             if (outlist != inlist)
1428                memcpy(outlist, inlist, 5);
1429             outlist += 5;
1430             ++num_chunks;
1431          }
1432       }
1433 
1434       /* This means the application has removed all the specialized handling. */
1435       if (num_chunks == 0)
1436       {
1437          if (png_ptr->chunk_list != new_list)
1438             png_free(png_ptr, new_list);
1439 
1440          new_list = NULL;
1441       }
1442    }
1443 
1444    else
1445       num_chunks = 0;
1446 
1447    png_ptr->num_chunk_list = num_chunks;
1448 
1449    if (png_ptr->chunk_list != new_list)
1450    {
1451       if (png_ptr->chunk_list != NULL)
1452          png_free(png_ptr, png_ptr->chunk_list);
1453 
1454       png_ptr->chunk_list = new_list;
1455    }
1456 }
1457 #endif
1458 
1459 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
1460 void PNGAPI
png_set_read_user_chunk_fn(png_structrp png_ptr,png_voidp user_chunk_ptr,png_user_chunk_ptr read_user_chunk_fn)1461 png_set_read_user_chunk_fn(png_structrp png_ptr, png_voidp user_chunk_ptr,
1462     png_user_chunk_ptr read_user_chunk_fn)
1463 {
1464    png_debug(1, "in png_set_read_user_chunk_fn");
1465 
1466    if (png_ptr == NULL)
1467       return;
1468 
1469    png_ptr->read_user_chunk_fn = read_user_chunk_fn;
1470    png_ptr->user_chunk_ptr = user_chunk_ptr;
1471 }
1472 #endif
1473 
1474 #ifdef PNG_INFO_IMAGE_SUPPORTED
1475 void PNGAPI
png_set_rows(png_const_structrp png_ptr,png_inforp info_ptr,png_bytepp row_pointers)1476 png_set_rows(png_const_structrp png_ptr, png_inforp info_ptr,
1477     png_bytepp row_pointers)
1478 {
1479    png_debug1(1, "in %s storage function", "rows");
1480 
1481    if (png_ptr == NULL || info_ptr == NULL)
1482       return;
1483 
1484    if (info_ptr->row_pointers != NULL &&
1485        (info_ptr->row_pointers != row_pointers))
1486       png_free_data(png_ptr, info_ptr, PNG_FREE_ROWS, 0);
1487 
1488    info_ptr->row_pointers = row_pointers;
1489 
1490    if (row_pointers != NULL)
1491       info_ptr->valid |= PNG_INFO_IDAT;
1492 }
1493 #endif
1494 
1495 void PNGAPI
png_set_compression_buffer_size(png_structrp png_ptr,png_size_t size)1496 png_set_compression_buffer_size(png_structrp png_ptr, png_size_t size)
1497 {
1498     if (png_ptr == NULL)
1499        return;
1500 
1501     if (size == 0 || size > PNG_UINT_31_MAX)
1502        png_error(png_ptr, "invalid compression buffer size");
1503 
1504 #  ifdef PNG_SEQUENTIAL_READ_SUPPORTED
1505       if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1506       {
1507          png_ptr->IDAT_read_size = (png_uint_32)size; /* checked above */
1508          return;
1509       }
1510 #  endif
1511 
1512 #  ifdef PNG_WRITE_SUPPORTED
1513       if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1514       {
1515          if (png_ptr->zowner != 0)
1516          {
1517             png_warning(png_ptr,
1518               "Compression buffer size cannot be changed because it is in use");
1519 
1520             return;
1521          }
1522 
1523 #ifndef __COVERITY__
1524          /* Some compilers complain that this is always false.  However, it
1525           * can be true when integer overflow happens.
1526           */
1527          if (size > ZLIB_IO_MAX)
1528          {
1529             png_warning(png_ptr,
1530                "Compression buffer size limited to system maximum");
1531             size = ZLIB_IO_MAX; /* must fit */
1532          }
1533 #endif
1534 
1535          if (size < 6)
1536          {
1537             /* Deflate will potentially go into an infinite loop on a SYNC_FLUSH
1538              * if this is permitted.
1539              */
1540             png_warning(png_ptr,
1541                "Compression buffer size cannot be reduced below 6");
1542 
1543             return;
1544          }
1545 
1546          if (png_ptr->zbuffer_size != size)
1547          {
1548             png_free_buffer_list(png_ptr, &png_ptr->zbuffer_list);
1549             png_ptr->zbuffer_size = (uInt)size;
1550          }
1551       }
1552 #  endif
1553 }
1554 
1555 void PNGAPI
png_set_invalid(png_const_structrp png_ptr,png_inforp info_ptr,int mask)1556 png_set_invalid(png_const_structrp png_ptr, png_inforp info_ptr, int mask)
1557 {
1558    if (png_ptr != NULL && info_ptr != NULL)
1559       info_ptr->valid &= ~mask;
1560 }
1561 
1562 
1563 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
1564 /* This function was added to libpng 1.2.6 */
1565 void PNGAPI
png_set_user_limits(png_structrp png_ptr,png_uint_32 user_width_max,png_uint_32 user_height_max)1566 png_set_user_limits (png_structrp png_ptr, png_uint_32 user_width_max,
1567     png_uint_32 user_height_max)
1568 {
1569    /* Images with dimensions larger than these limits will be
1570     * rejected by png_set_IHDR().  To accept any PNG datastream
1571     * regardless of dimensions, set both limits to 0x7ffffffL.
1572     */
1573    if (png_ptr == NULL)
1574       return;
1575 
1576    png_ptr->user_width_max = user_width_max;
1577    png_ptr->user_height_max = user_height_max;
1578 }
1579 
1580 /* This function was added to libpng 1.4.0 */
1581 void PNGAPI
png_set_chunk_cache_max(png_structrp png_ptr,png_uint_32 user_chunk_cache_max)1582 png_set_chunk_cache_max (png_structrp png_ptr, png_uint_32 user_chunk_cache_max)
1583 {
1584    if (png_ptr != NULL)
1585       png_ptr->user_chunk_cache_max = user_chunk_cache_max;
1586 }
1587 
1588 /* This function was added to libpng 1.4.1 */
1589 void PNGAPI
png_set_chunk_malloc_max(png_structrp png_ptr,png_alloc_size_t user_chunk_malloc_max)1590 png_set_chunk_malloc_max (png_structrp png_ptr,
1591     png_alloc_size_t user_chunk_malloc_max)
1592 {
1593    if (png_ptr != NULL)
1594       png_ptr->user_chunk_malloc_max = user_chunk_malloc_max;
1595 }
1596 #endif /* ?SET_USER_LIMITS */
1597 
1598 
1599 #ifdef PNG_BENIGN_ERRORS_SUPPORTED
1600 void PNGAPI
png_set_benign_errors(png_structrp png_ptr,int allowed)1601 png_set_benign_errors(png_structrp png_ptr, int allowed)
1602 {
1603    png_debug(1, "in png_set_benign_errors");
1604 
1605    /* If allowed is 1, png_benign_error() is treated as a warning.
1606     *
1607     * If allowed is 0, png_benign_error() is treated as an error (which
1608     * is the default behavior if png_set_benign_errors() is not called).
1609     */
1610 
1611    if (allowed != 0)
1612       png_ptr->flags |= PNG_FLAG_BENIGN_ERRORS_WARN |
1613          PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN;
1614 
1615    else
1616       png_ptr->flags &= ~(PNG_FLAG_BENIGN_ERRORS_WARN |
1617          PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN);
1618 }
1619 #endif /* BENIGN_ERRORS */
1620 
1621 #ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED
1622    /* Whether to report invalid palette index; added at libng-1.5.10.
1623     * It is possible for an indexed (color-type==3) PNG file to contain
1624     * pixels with invalid (out-of-range) indexes if the PLTE chunk has
1625     * fewer entries than the image's bit-depth would allow. We recover
1626     * from this gracefully by filling any incomplete palette with zeros
1627     * (opaque black).  By default, when this occurs libpng will issue
1628     * a benign error.  This API can be used to override that behavior.
1629     */
1630 void PNGAPI
png_set_check_for_invalid_index(png_structrp png_ptr,int allowed)1631 png_set_check_for_invalid_index(png_structrp png_ptr, int allowed)
1632 {
1633    png_debug(1, "in png_set_check_for_invalid_index");
1634 
1635    if (allowed > 0)
1636       png_ptr->num_palette_max = 0;
1637 
1638    else
1639       png_ptr->num_palette_max = -1;
1640 }
1641 #endif
1642 #endif /* READ || WRITE */
1643