1
2 /* pngpread.c - read a png file in push mode
3 *
4 * Copyright (c) 2018 Cosmin Truta
5 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6 * Copyright (c) 1996-1997 Andreas Dilger
7 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14 #include "pngpriv.h"
15
16 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
17
18 /* Push model modes */
19 #define PNG_READ_SIG_MODE 0
20 #define PNG_READ_CHUNK_MODE 1
21 #define PNG_READ_IDAT_MODE 2
22 #define PNG_READ_tEXt_MODE 4
23 #define PNG_READ_zTXt_MODE 5
24 #define PNG_READ_DONE_MODE 6
25 #define PNG_READ_iTXt_MODE 7
26 #define PNG_ERROR_MODE 8
27
28 #define PNG_PUSH_SAVE_BUFFER_IF_FULL \
29 if (png_ptr->push_length + 4 > png_ptr->buffer_size) \
30 { png_push_save_buffer(png_ptr); return; }
31 #define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \
32 if (png_ptr->buffer_size < N) \
33 { png_push_save_buffer(png_ptr); return; }
34
35 void PNGAPI
png_process_data(png_structrp png_ptr,png_inforp info_ptr,png_bytep buffer,size_t buffer_size)36 png_process_data(png_structrp png_ptr, png_inforp info_ptr,
37 png_bytep buffer, size_t buffer_size)
38 {
39 if (png_ptr == NULL || info_ptr == NULL)
40 return;
41
42 png_push_restore_buffer(png_ptr, buffer, buffer_size);
43
44 while (png_ptr->buffer_size)
45 {
46 png_process_some_data(png_ptr, info_ptr);
47 }
48 }
49
50 size_t PNGAPI
png_process_data_pause(png_structrp png_ptr,int save)51 png_process_data_pause(png_structrp png_ptr, int save)
52 {
53 if (png_ptr != NULL)
54 {
55 /* It's easiest for the caller if we do the save; then the caller doesn't
56 * have to supply the same data again:
57 */
58 if (save != 0)
59 png_push_save_buffer(png_ptr);
60 else
61 {
62 /* This includes any pending saved bytes: */
63 size_t remaining = png_ptr->buffer_size;
64 png_ptr->buffer_size = 0;
65
66 /* So subtract the saved buffer size, unless all the data
67 * is actually 'saved', in which case we just return 0
68 */
69 if (png_ptr->save_buffer_size < remaining)
70 return remaining - png_ptr->save_buffer_size;
71 }
72 }
73
74 return 0;
75 }
76
77 png_uint_32 PNGAPI
png_process_data_skip(png_structrp png_ptr)78 png_process_data_skip(png_structrp png_ptr)
79 {
80 /* TODO: Deprecate and remove this API.
81 * Somewhere the implementation of this seems to have been lost,
82 * or abandoned. It was only to support some internal back-door access
83 * to png_struct) in libpng-1.4.x.
84 */
85 png_app_warning(png_ptr,
86 "png_process_data_skip is not implemented in any current version of libpng");
87 return 0;
88 }
89
90 /* What we do with the incoming data depends on what we were previously
91 * doing before we ran out of data...
92 */
93 void /* PRIVATE */
png_process_some_data(png_structrp png_ptr,png_inforp info_ptr)94 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr)
95 {
96 if (png_ptr == NULL)
97 return;
98
99 switch (png_ptr->process_mode)
100 {
101 case PNG_READ_SIG_MODE:
102 {
103 png_push_read_sig(png_ptr, info_ptr);
104 break;
105 }
106
107 case PNG_READ_CHUNK_MODE:
108 {
109 png_push_read_chunk(png_ptr, info_ptr);
110 break;
111 }
112
113 case PNG_READ_IDAT_MODE:
114 {
115 png_push_read_IDAT(png_ptr);
116 break;
117 }
118
119 default:
120 {
121 png_ptr->buffer_size = 0;
122 break;
123 }
124 }
125 }
126
127 /* Read any remaining signature bytes from the stream and compare them with
128 * the correct PNG signature. It is possible that this routine is called
129 * with bytes already read from the signature, either because they have been
130 * checked by the calling application, or because of multiple calls to this
131 * routine.
132 */
133 void /* PRIVATE */
png_push_read_sig(png_structrp png_ptr,png_inforp info_ptr)134 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr)
135 {
136 size_t num_checked = png_ptr->sig_bytes; /* SAFE, does not exceed 8 */
137 size_t num_to_check = 8 - num_checked;
138
139 if (png_ptr->buffer_size < num_to_check)
140 {
141 num_to_check = png_ptr->buffer_size;
142 }
143
144 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]),
145 num_to_check);
146 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check);
147
148 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
149 {
150 if (num_checked < 4 &&
151 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
152 png_error(png_ptr, "Not a PNG file");
153
154 else
155 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
156 }
157 else
158 {
159 if (png_ptr->sig_bytes >= 8)
160 {
161 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
162 }
163 }
164 }
165
166 void /* PRIVATE */
png_push_read_chunk(png_structrp png_ptr,png_inforp info_ptr)167 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
168 {
169 png_uint_32 chunk_name;
170 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
171 int keep; /* unknown handling method */
172 #endif
173
174 /* First we make sure we have enough data for the 4-byte chunk name
175 * and the 4-byte chunk length before proceeding with decoding the
176 * chunk data. To fully decode each of these chunks, we also make
177 * sure we have enough data in the buffer for the 4-byte CRC at the
178 * end of every chunk (except IDAT, which is handled separately).
179 */
180 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
181 {
182 png_byte chunk_length[4];
183 png_byte chunk_tag[4];
184
185 PNG_PUSH_SAVE_BUFFER_IF_LT(8)
186 png_push_fill_buffer(png_ptr, chunk_length, 4);
187 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
188 png_reset_crc(png_ptr);
189 png_crc_read(png_ptr, chunk_tag, 4);
190 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
191 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
192 png_check_chunk_length(png_ptr, png_ptr->push_length);
193 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
194 }
195
196 chunk_name = png_ptr->chunk_name;
197
198 #ifdef PNG_READ_APNG_SUPPORTED
199 if (png_ptr->num_frames_read > 0 &&
200 png_ptr->num_frames_read < info_ptr->num_frames)
201 {
202 if (chunk_name == png_IDAT)
203 {
204 /* Discard trailing IDATs for the first frame */
205 if ((png_ptr->mode & PNG_HAVE_fcTL) != 0 ||
206 png_ptr->num_frames_read > 1)
207 png_error(png_ptr, "out of place IDAT");
208
209 PNG_PUSH_SAVE_BUFFER_IF_FULL
210 png_crc_finish(png_ptr, png_ptr->push_length);
211 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
212 }
213
214 else if (chunk_name == png_fdAT)
215 {
216 PNG_PUSH_SAVE_BUFFER_IF_LT(4)
217 png_ensure_sequence_number(png_ptr, 4);
218
219 if ((png_ptr->mode & PNG_HAVE_fcTL) == 0)
220 {
221 /* Discard trailing fdATs for frames other than the first */
222 if (png_ptr->num_frames_read < 2)
223 png_error(png_ptr, "out of place fdAT");
224
225 PNG_PUSH_SAVE_BUFFER_IF_FULL
226 png_crc_finish(png_ptr, png_ptr->push_length);
227 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
228 }
229
230 else
231 {
232 /* frame data follows */
233 png_ptr->idat_size = png_ptr->push_length - 4;
234 png_ptr->mode |= PNG_HAVE_IDAT;
235 png_ptr->process_mode = PNG_READ_IDAT_MODE;
236 }
237 }
238
239 else if (chunk_name == png_fcTL)
240 {
241 PNG_PUSH_SAVE_BUFFER_IF_FULL
242 png_read_reset(png_ptr);
243 png_ptr->mode &= ~PNG_HAVE_fcTL;
244
245 png_handle_fcTL(png_ptr, info_ptr, png_ptr->push_length);
246
247 if ((png_ptr->mode & PNG_HAVE_fcTL) == 0)
248 png_error(png_ptr, "missing required fcTL chunk");
249
250 png_read_reinit(png_ptr, info_ptr);
251 png_progressive_read_reset(png_ptr);
252
253 if (png_ptr->frame_info_fn != NULL)
254 (*(png_ptr->frame_info_fn))(png_ptr, png_ptr->num_frames_read);
255
256 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
257 }
258
259 else if (chunk_name == png_IEND)
260 {
261 PNG_PUSH_SAVE_BUFFER_IF_FULL
262 png_warning(png_ptr, "Number of actual frames fewer than expected");
263 png_crc_finish(png_ptr, png_ptr->push_length);
264 png_ptr->process_mode = PNG_READ_DONE_MODE;
265 png_push_have_end(png_ptr, info_ptr);
266 }
267
268 else
269 {
270 PNG_PUSH_SAVE_BUFFER_IF_FULL
271 png_warning(png_ptr, "Skipped (ignored) a chunk "
272 "between APNG chunks");
273 png_crc_finish(png_ptr, png_ptr->push_length);
274 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
275 }
276
277 return;
278 }
279 #endif /* READ_APNG */
280
281 if (chunk_name == png_IDAT)
282 {
283 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
284 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
285
286 /* If we reach an IDAT chunk, this means we have read all of the
287 * header chunks, and we can start reading the image (or if this
288 * is called after the image has been read - we have an error).
289 */
290 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
291 png_error(png_ptr, "Missing IHDR before IDAT");
292
293 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
294 (png_ptr->mode & PNG_HAVE_PLTE) == 0)
295 png_error(png_ptr, "Missing PLTE before IDAT");
296
297 png_ptr->process_mode = PNG_READ_IDAT_MODE;
298
299 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
300 if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0)
301 if (png_ptr->push_length == 0)
302 return;
303
304 png_ptr->mode |= PNG_HAVE_IDAT;
305
306 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
307 png_benign_error(png_ptr, "Too many IDATs found");
308 }
309
310 if (chunk_name == png_IHDR)
311 {
312 if (png_ptr->push_length != 13)
313 png_error(png_ptr, "Invalid IHDR length");
314
315 PNG_PUSH_SAVE_BUFFER_IF_FULL
316 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length);
317 }
318
319 else if (chunk_name == png_IEND)
320 {
321 PNG_PUSH_SAVE_BUFFER_IF_FULL
322 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length);
323
324 png_ptr->process_mode = PNG_READ_DONE_MODE;
325 png_push_have_end(png_ptr, info_ptr);
326 }
327
328 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
329 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0)
330 {
331 PNG_PUSH_SAVE_BUFFER_IF_FULL
332 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep);
333
334 if (chunk_name == png_PLTE)
335 png_ptr->mode |= PNG_HAVE_PLTE;
336 }
337 #endif
338
339 else if (chunk_name == png_PLTE)
340 {
341 PNG_PUSH_SAVE_BUFFER_IF_FULL
342 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length);
343 }
344
345 else if (chunk_name == png_IDAT)
346 {
347 #ifdef PNG_READ_APNG_SUPPORTED
348 png_have_info(png_ptr, info_ptr);
349 #endif
350 png_ptr->idat_size = png_ptr->push_length;
351 png_ptr->process_mode = PNG_READ_IDAT_MODE;
352 png_push_have_info(png_ptr, info_ptr);
353 png_ptr->zstream.avail_out =
354 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
355 png_ptr->iwidth) + 1;
356 png_ptr->zstream.next_out = png_ptr->row_buf;
357 return;
358 }
359
360 #ifdef PNG_READ_gAMA_SUPPORTED
361 else if (png_ptr->chunk_name == png_gAMA)
362 {
363 PNG_PUSH_SAVE_BUFFER_IF_FULL
364 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length);
365 }
366
367 #endif
368 #ifdef PNG_READ_sBIT_SUPPORTED
369 else if (png_ptr->chunk_name == png_sBIT)
370 {
371 PNG_PUSH_SAVE_BUFFER_IF_FULL
372 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length);
373 }
374
375 #endif
376 #ifdef PNG_READ_cHRM_SUPPORTED
377 else if (png_ptr->chunk_name == png_cHRM)
378 {
379 PNG_PUSH_SAVE_BUFFER_IF_FULL
380 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length);
381 }
382
383 #endif
384 #ifdef PNG_READ_sRGB_SUPPORTED
385 else if (chunk_name == png_sRGB)
386 {
387 PNG_PUSH_SAVE_BUFFER_IF_FULL
388 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length);
389 }
390
391 #endif
392 #ifdef PNG_READ_iCCP_SUPPORTED
393 else if (png_ptr->chunk_name == png_iCCP)
394 {
395 PNG_PUSH_SAVE_BUFFER_IF_FULL
396 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length);
397 }
398
399 #endif
400 #ifdef PNG_READ_sPLT_SUPPORTED
401 else if (chunk_name == png_sPLT)
402 {
403 PNG_PUSH_SAVE_BUFFER_IF_FULL
404 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length);
405 }
406
407 #endif
408 #ifdef PNG_READ_tRNS_SUPPORTED
409 else if (chunk_name == png_tRNS)
410 {
411 PNG_PUSH_SAVE_BUFFER_IF_FULL
412 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length);
413 }
414
415 #endif
416 #ifdef PNG_READ_bKGD_SUPPORTED
417 else if (chunk_name == png_bKGD)
418 {
419 PNG_PUSH_SAVE_BUFFER_IF_FULL
420 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length);
421 }
422
423 #endif
424 #ifdef PNG_READ_hIST_SUPPORTED
425 else if (chunk_name == png_hIST)
426 {
427 PNG_PUSH_SAVE_BUFFER_IF_FULL
428 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length);
429 }
430
431 #endif
432 #ifdef PNG_READ_pHYs_SUPPORTED
433 else if (chunk_name == png_pHYs)
434 {
435 PNG_PUSH_SAVE_BUFFER_IF_FULL
436 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length);
437 }
438
439 #endif
440 #ifdef PNG_READ_oFFs_SUPPORTED
441 else if (chunk_name == png_oFFs)
442 {
443 PNG_PUSH_SAVE_BUFFER_IF_FULL
444 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length);
445 }
446 #endif
447
448 #ifdef PNG_READ_pCAL_SUPPORTED
449 else if (chunk_name == png_pCAL)
450 {
451 PNG_PUSH_SAVE_BUFFER_IF_FULL
452 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length);
453 }
454
455 #endif
456 #ifdef PNG_READ_sCAL_SUPPORTED
457 else if (chunk_name == png_sCAL)
458 {
459 PNG_PUSH_SAVE_BUFFER_IF_FULL
460 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length);
461 }
462
463 #endif
464 #ifdef PNG_READ_tIME_SUPPORTED
465 else if (chunk_name == png_tIME)
466 {
467 PNG_PUSH_SAVE_BUFFER_IF_FULL
468 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length);
469 }
470
471 #endif
472 #ifdef PNG_READ_tEXt_SUPPORTED
473 else if (chunk_name == png_tEXt)
474 {
475 PNG_PUSH_SAVE_BUFFER_IF_FULL
476 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length);
477 }
478
479 #endif
480 #ifdef PNG_READ_zTXt_SUPPORTED
481 else if (chunk_name == png_zTXt)
482 {
483 PNG_PUSH_SAVE_BUFFER_IF_FULL
484 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length);
485 }
486
487 #endif
488 #ifdef PNG_READ_iTXt_SUPPORTED
489 else if (chunk_name == png_iTXt)
490 {
491 PNG_PUSH_SAVE_BUFFER_IF_FULL
492 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length);
493 }
494 #endif
495
496 #ifdef PNG_READ_APNG_SUPPORTED
497 else if (chunk_name == png_acTL)
498 {
499 PNG_PUSH_SAVE_BUFFER_IF_FULL
500 png_handle_acTL(png_ptr, info_ptr, png_ptr->push_length);
501 }
502
503 else if (chunk_name == png_fcTL)
504 {
505 PNG_PUSH_SAVE_BUFFER_IF_FULL
506 png_handle_fcTL(png_ptr, info_ptr, png_ptr->push_length);
507 }
508
509 #endif /* READ_APNG */
510 else
511 {
512 PNG_PUSH_SAVE_BUFFER_IF_FULL
513 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length,
514 PNG_HANDLE_CHUNK_AS_DEFAULT);
515 }
516
517 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
518 }
519
520 void PNGCBAPI
png_push_fill_buffer(png_structp png_ptr,png_bytep buffer,size_t length)521 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, size_t length)
522 {
523 png_bytep ptr;
524
525 if (png_ptr == NULL)
526 return;
527
528 ptr = buffer;
529 if (png_ptr->save_buffer_size != 0)
530 {
531 size_t save_size;
532
533 if (length < png_ptr->save_buffer_size)
534 save_size = length;
535
536 else
537 save_size = png_ptr->save_buffer_size;
538
539 memcpy(ptr, png_ptr->save_buffer_ptr, save_size);
540 length -= save_size;
541 ptr += save_size;
542 png_ptr->buffer_size -= save_size;
543 png_ptr->save_buffer_size -= save_size;
544 png_ptr->save_buffer_ptr += save_size;
545 }
546 if (length != 0 && png_ptr->current_buffer_size != 0)
547 {
548 size_t save_size;
549
550 if (length < png_ptr->current_buffer_size)
551 save_size = length;
552
553 else
554 save_size = png_ptr->current_buffer_size;
555
556 memcpy(ptr, png_ptr->current_buffer_ptr, save_size);
557 png_ptr->buffer_size -= save_size;
558 png_ptr->current_buffer_size -= save_size;
559 png_ptr->current_buffer_ptr += save_size;
560 }
561 }
562
563 void /* PRIVATE */
png_push_save_buffer(png_structrp png_ptr)564 png_push_save_buffer(png_structrp png_ptr)
565 {
566 if (png_ptr->save_buffer_size != 0)
567 {
568 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer)
569 {
570 size_t i, istop;
571 png_bytep sp;
572 png_bytep dp;
573
574 istop = png_ptr->save_buffer_size;
575 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer;
576 i < istop; i++, sp++, dp++)
577 {
578 *dp = *sp;
579 }
580 }
581 }
582 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size >
583 png_ptr->save_buffer_max)
584 {
585 size_t new_max;
586 png_bytep old_buffer;
587
588 if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
589 (png_ptr->current_buffer_size + 256))
590 {
591 png_error(png_ptr, "Potential overflow of save_buffer");
592 }
593
594 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
595 old_buffer = png_ptr->save_buffer;
596 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr,
597 (size_t)new_max);
598
599 if (png_ptr->save_buffer == NULL)
600 {
601 png_free(png_ptr, old_buffer);
602 png_error(png_ptr, "Insufficient memory for save_buffer");
603 }
604
605 if (old_buffer)
606 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
607 else if (png_ptr->save_buffer_size)
608 png_error(png_ptr, "save_buffer error");
609 png_free(png_ptr, old_buffer);
610 png_ptr->save_buffer_max = new_max;
611 }
612 if (png_ptr->current_buffer_size)
613 {
614 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size,
615 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size);
616 png_ptr->save_buffer_size += png_ptr->current_buffer_size;
617 png_ptr->current_buffer_size = 0;
618 }
619 png_ptr->save_buffer_ptr = png_ptr->save_buffer;
620 png_ptr->buffer_size = 0;
621 }
622
623 void /* PRIVATE */
png_push_restore_buffer(png_structrp png_ptr,png_bytep buffer,size_t buffer_length)624 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer,
625 size_t buffer_length)
626 {
627 png_ptr->current_buffer = buffer;
628 png_ptr->current_buffer_size = buffer_length;
629 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size;
630 png_ptr->current_buffer_ptr = png_ptr->current_buffer;
631 }
632
633 void /* PRIVATE */
png_push_read_IDAT(png_structrp png_ptr)634 png_push_read_IDAT(png_structrp png_ptr)
635 {
636 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
637 {
638 png_byte chunk_length[4];
639 png_byte chunk_tag[4];
640
641 /* TODO: this code can be commoned up with the same code in push_read */
642 #ifdef PNG_READ_APNG_SUPPORTED
643 PNG_PUSH_SAVE_BUFFER_IF_LT(12)
644 #else
645 PNG_PUSH_SAVE_BUFFER_IF_LT(8)
646 #endif
647 png_push_fill_buffer(png_ptr, chunk_length, 4);
648 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
649 png_reset_crc(png_ptr);
650 png_crc_read(png_ptr, chunk_tag, 4);
651 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
652 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
653
654 #ifdef PNG_READ_APNG_SUPPORTED
655 if (png_ptr->chunk_name != png_fdAT && png_ptr->num_frames_read > 0)
656 {
657 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) != 0)
658 {
659 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
660 if (png_ptr->frame_end_fn != NULL)
661 (*(png_ptr->frame_end_fn))(png_ptr, png_ptr->num_frames_read);
662 png_ptr->num_frames_read++;
663 return;
664 }
665 else
666 {
667 if (png_ptr->chunk_name == png_IEND)
668 png_error(png_ptr, "Not enough image data");
669 PNG_PUSH_SAVE_BUFFER_IF_FULL
670 png_warning(png_ptr, "Skipping (ignoring) a chunk between "
671 "APNG chunks");
672 png_crc_finish(png_ptr, png_ptr->push_length);
673 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
674 return;
675 }
676 }
677 else
678 #endif
679 #ifdef PNG_READ_APNG_SUPPORTED
680 if (png_ptr->chunk_name != png_IDAT && png_ptr->num_frames_read == 0)
681 #else
682 if (png_ptr->chunk_name != png_IDAT)
683 #endif
684 {
685 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
686
687 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
688 png_error(png_ptr, "Not enough compressed data");
689
690 #ifdef PNG_READ_APNG_SUPPORTED
691 if (png_ptr->frame_end_fn != NULL)
692 (*(png_ptr->frame_end_fn))(png_ptr, png_ptr->num_frames_read);
693 png_ptr->num_frames_read++;
694 #endif
695
696 return;
697 }
698
699 png_ptr->idat_size = png_ptr->push_length;
700
701 #ifdef PNG_READ_APNG_SUPPORTED
702 if (png_ptr->num_frames_read > 0)
703 {
704 png_ensure_sequence_number(png_ptr, 4);
705 png_ptr->idat_size -= 4;
706 }
707 #endif
708 }
709
710 if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0)
711 {
712 size_t save_size = png_ptr->save_buffer_size;
713 png_uint_32 idat_size = png_ptr->idat_size;
714
715 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
716 * are of different types and we don't know which variable has the fewest
717 * bits. Carefully select the smaller and cast it to the type of the
718 * larger - this cannot overflow. Do not cast in the following test - it
719 * will break on either 16-bit or 64-bit platforms.
720 */
721 if (idat_size < save_size)
722 save_size = (size_t)idat_size;
723
724 else
725 idat_size = (png_uint_32)save_size;
726
727 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
728
729 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
730
731 png_ptr->idat_size -= idat_size;
732 png_ptr->buffer_size -= save_size;
733 png_ptr->save_buffer_size -= save_size;
734 png_ptr->save_buffer_ptr += save_size;
735 }
736
737 if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0)
738 {
739 size_t save_size = png_ptr->current_buffer_size;
740 png_uint_32 idat_size = png_ptr->idat_size;
741
742 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
743 * are of different types and we don't know which variable has the fewest
744 * bits. Carefully select the smaller and cast it to the type of the
745 * larger - this cannot overflow.
746 */
747 if (idat_size < save_size)
748 save_size = (size_t)idat_size;
749
750 else
751 idat_size = (png_uint_32)save_size;
752
753 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
754
755 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
756
757 png_ptr->idat_size -= idat_size;
758 png_ptr->buffer_size -= save_size;
759 png_ptr->current_buffer_size -= save_size;
760 png_ptr->current_buffer_ptr += save_size;
761 }
762
763 if (png_ptr->idat_size == 0)
764 {
765 PNG_PUSH_SAVE_BUFFER_IF_LT(4)
766 png_crc_finish(png_ptr, 0);
767 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
768 png_ptr->mode |= PNG_AFTER_IDAT;
769 png_ptr->zowner = 0;
770 }
771 }
772
773 void /* PRIVATE */
png_process_IDAT_data(png_structrp png_ptr,png_bytep buffer,size_t buffer_length)774 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer,
775 size_t buffer_length)
776 {
777 /* The caller checks for a non-zero buffer length. */
778 if (!(buffer_length > 0) || buffer == NULL)
779 png_error(png_ptr, "No IDAT data (internal error)");
780
781 #ifdef PNG_READ_APNG_SUPPORTED
782 /* If the app is not APNG-aware, decode only the first frame */
783 if ((png_ptr->apng_flags & PNG_APNG_APP) == 0 &&
784 png_ptr->num_frames_read > 0)
785 {
786 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
787 return;
788 }
789 #endif
790
791 /* This routine must process all the data it has been given
792 * before returning, calling the row callback as required to
793 * handle the uncompressed results.
794 */
795 png_ptr->zstream.next_in = buffer;
796 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
797 png_ptr->zstream.avail_in = (uInt)buffer_length;
798
799 /* Keep going until the decompressed data is all processed
800 * or the stream marked as finished.
801 */
802 while (png_ptr->zstream.avail_in > 0 &&
803 (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
804 {
805 int ret;
806
807 /* We have data for zlib, but we must check that zlib
808 * has someplace to put the results. It doesn't matter
809 * if we don't expect any results -- it may be the input
810 * data is just the LZ end code.
811 */
812 if (!(png_ptr->zstream.avail_out > 0))
813 {
814 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
815 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth,
816 png_ptr->iwidth) + 1);
817
818 png_ptr->zstream.next_out = png_ptr->row_buf;
819 }
820
821 /* Using Z_SYNC_FLUSH here means that an unterminated
822 * LZ stream (a stream with a missing end code) can still
823 * be handled, otherwise (Z_NO_FLUSH) a future zlib
824 * implementation might defer output and therefore
825 * change the current behavior (see comments in inflate.c
826 * for why this doesn't happen at present with zlib 1.2.5).
827 */
828 ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH);
829
830 /* Check for any failure before proceeding. */
831 if (ret != Z_OK && ret != Z_STREAM_END)
832 {
833 /* Terminate the decompression. */
834 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
835 png_ptr->zowner = 0;
836
837 /* This may be a truncated stream (missing or
838 * damaged end code). Treat that as a warning.
839 */
840 if (png_ptr->row_number >= png_ptr->num_rows ||
841 png_ptr->pass > 6)
842 png_warning(png_ptr, "Truncated compressed data in IDAT");
843
844 else
845 {
846 if (ret == Z_DATA_ERROR)
847 png_benign_error(png_ptr, "IDAT: ADLER32 checksum mismatch");
848 else
849 png_error(png_ptr, "Decompression error in IDAT");
850 }
851
852 /* Skip the check on unprocessed input */
853 return;
854 }
855
856 /* Did inflate output any data? */
857 if (png_ptr->zstream.next_out != png_ptr->row_buf)
858 {
859 /* Is this unexpected data after the last row?
860 * If it is, artificially terminate the LZ output
861 * here.
862 */
863 if (png_ptr->row_number >= png_ptr->num_rows ||
864 png_ptr->pass > 6)
865 {
866 /* Extra data. */
867 png_warning(png_ptr, "Extra compressed data in IDAT");
868 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
869 png_ptr->zowner = 0;
870
871 /* Do no more processing; skip the unprocessed
872 * input check below.
873 */
874 return;
875 }
876
877 /* Do we have a complete row? */
878 if (png_ptr->zstream.avail_out == 0)
879 png_push_process_row(png_ptr);
880 }
881
882 /* And check for the end of the stream. */
883 if (ret == Z_STREAM_END)
884 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
885 }
886
887 /* All the data should have been processed, if anything
888 * is left at this point we have bytes of IDAT data
889 * after the zlib end code.
890 */
891 if (png_ptr->zstream.avail_in > 0)
892 png_warning(png_ptr, "Extra compression data in IDAT");
893 }
894
895 void /* PRIVATE */
png_push_process_row(png_structrp png_ptr)896 png_push_process_row(png_structrp png_ptr)
897 {
898 /* 1.5.6: row_info moved out of png_struct to a local here. */
899 png_row_info row_info;
900
901 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */
902 row_info.color_type = png_ptr->color_type;
903 row_info.bit_depth = png_ptr->bit_depth;
904 row_info.channels = png_ptr->channels;
905 row_info.pixel_depth = png_ptr->pixel_depth;
906 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width);
907
908 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE)
909 {
910 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST)
911 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1,
912 png_ptr->prev_row + 1, png_ptr->row_buf[0]);
913 else
914 png_error(png_ptr, "bad adaptive filter value");
915 }
916
917 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
918 * 1.5.6, while the buffer really is this big in current versions of libpng
919 * it may not be in the future, so this was changed just to copy the
920 * interlaced row count:
921 */
922 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1);
923
924 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
925 if (png_ptr->transformations != 0)
926 png_do_read_transformations(png_ptr, &row_info);
927 #endif
928
929 /* The transformed pixel depth should match the depth now in row_info. */
930 if (png_ptr->transformed_pixel_depth == 0)
931 {
932 png_ptr->transformed_pixel_depth = row_info.pixel_depth;
933 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth)
934 png_error(png_ptr, "progressive row overflow");
935 }
936
937 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth)
938 png_error(png_ptr, "internal progressive row size calculation error");
939
940
941 #ifdef PNG_READ_INTERLACING_SUPPORTED
942 /* Expand interlaced rows to full size */
943 if (png_ptr->interlaced != 0 &&
944 (png_ptr->transformations & PNG_INTERLACE) != 0)
945 {
946 if (png_ptr->pass < 6)
947 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass,
948 png_ptr->transformations);
949
950 switch (png_ptr->pass)
951 {
952 case 0:
953 {
954 int i;
955 for (i = 0; i < 8 && png_ptr->pass == 0; i++)
956 {
957 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
958 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */
959 }
960
961 if (png_ptr->pass == 2) /* Pass 1 might be empty */
962 {
963 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
964 {
965 png_push_have_row(png_ptr, NULL);
966 png_read_push_finish_row(png_ptr);
967 }
968 }
969
970 if (png_ptr->pass == 4 && png_ptr->height <= 4)
971 {
972 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
973 {
974 png_push_have_row(png_ptr, NULL);
975 png_read_push_finish_row(png_ptr);
976 }
977 }
978
979 if (png_ptr->pass == 6 && png_ptr->height <= 4)
980 {
981 png_push_have_row(png_ptr, NULL);
982 png_read_push_finish_row(png_ptr);
983 }
984
985 break;
986 }
987
988 case 1:
989 {
990 int i;
991 for (i = 0; i < 8 && png_ptr->pass == 1; i++)
992 {
993 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
994 png_read_push_finish_row(png_ptr);
995 }
996
997 if (png_ptr->pass == 2) /* Skip top 4 generated rows */
998 {
999 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1000 {
1001 png_push_have_row(png_ptr, NULL);
1002 png_read_push_finish_row(png_ptr);
1003 }
1004 }
1005
1006 break;
1007 }
1008
1009 case 2:
1010 {
1011 int i;
1012
1013 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1014 {
1015 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1016 png_read_push_finish_row(png_ptr);
1017 }
1018
1019 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1020 {
1021 png_push_have_row(png_ptr, NULL);
1022 png_read_push_finish_row(png_ptr);
1023 }
1024
1025 if (png_ptr->pass == 4) /* Pass 3 might be empty */
1026 {
1027 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1028 {
1029 png_push_have_row(png_ptr, NULL);
1030 png_read_push_finish_row(png_ptr);
1031 }
1032 }
1033
1034 break;
1035 }
1036
1037 case 3:
1038 {
1039 int i;
1040
1041 for (i = 0; i < 4 && png_ptr->pass == 3; i++)
1042 {
1043 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1044 png_read_push_finish_row(png_ptr);
1045 }
1046
1047 if (png_ptr->pass == 4) /* Skip top two generated rows */
1048 {
1049 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1050 {
1051 png_push_have_row(png_ptr, NULL);
1052 png_read_push_finish_row(png_ptr);
1053 }
1054 }
1055
1056 break;
1057 }
1058
1059 case 4:
1060 {
1061 int i;
1062
1063 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1064 {
1065 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1066 png_read_push_finish_row(png_ptr);
1067 }
1068
1069 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1070 {
1071 png_push_have_row(png_ptr, NULL);
1072 png_read_push_finish_row(png_ptr);
1073 }
1074
1075 if (png_ptr->pass == 6) /* Pass 5 might be empty */
1076 {
1077 png_push_have_row(png_ptr, NULL);
1078 png_read_push_finish_row(png_ptr);
1079 }
1080
1081 break;
1082 }
1083
1084 case 5:
1085 {
1086 int i;
1087
1088 for (i = 0; i < 2 && png_ptr->pass == 5; i++)
1089 {
1090 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1091 png_read_push_finish_row(png_ptr);
1092 }
1093
1094 if (png_ptr->pass == 6) /* Skip top generated row */
1095 {
1096 png_push_have_row(png_ptr, NULL);
1097 png_read_push_finish_row(png_ptr);
1098 }
1099
1100 break;
1101 }
1102
1103 default:
1104 case 6:
1105 {
1106 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1107 png_read_push_finish_row(png_ptr);
1108
1109 if (png_ptr->pass != 6)
1110 break;
1111
1112 png_push_have_row(png_ptr, NULL);
1113 png_read_push_finish_row(png_ptr);
1114 }
1115 }
1116 }
1117 else
1118 #endif
1119 {
1120 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1121 png_read_push_finish_row(png_ptr);
1122 }
1123 }
1124
1125 void /* PRIVATE */
png_read_push_finish_row(png_structrp png_ptr)1126 png_read_push_finish_row(png_structrp png_ptr)
1127 {
1128 #ifdef PNG_READ_INTERLACING_SUPPORTED
1129 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
1130
1131 /* Start of interlace block */
1132 static const png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
1133
1134 /* Offset to next interlace block */
1135 static const png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
1136
1137 /* Start of interlace block in the y direction */
1138 static const png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
1139
1140 /* Offset to next interlace block in the y direction */
1141 static const png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
1142
1143 /* Height of interlace block. This is not currently used - if you need
1144 * it, uncomment it here and in png.h
1145 static const png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
1146 */
1147 #endif
1148
1149 png_ptr->row_number++;
1150 if (png_ptr->row_number < png_ptr->num_rows)
1151 return;
1152
1153 #ifdef PNG_READ_INTERLACING_SUPPORTED
1154 if (png_ptr->interlaced != 0)
1155 {
1156 png_ptr->row_number = 0;
1157 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
1158
1159 do
1160 {
1161 png_ptr->pass++;
1162 if ((png_ptr->pass == 1 && png_ptr->width < 5) ||
1163 (png_ptr->pass == 3 && png_ptr->width < 3) ||
1164 (png_ptr->pass == 5 && png_ptr->width < 2))
1165 png_ptr->pass++;
1166
1167 if (png_ptr->pass > 7)
1168 png_ptr->pass--;
1169
1170 if (png_ptr->pass >= 7)
1171 break;
1172
1173 png_ptr->iwidth = (png_ptr->width +
1174 png_pass_inc[png_ptr->pass] - 1 -
1175 png_pass_start[png_ptr->pass]) /
1176 png_pass_inc[png_ptr->pass];
1177
1178 if ((png_ptr->transformations & PNG_INTERLACE) != 0)
1179 break;
1180
1181 png_ptr->num_rows = (png_ptr->height +
1182 png_pass_yinc[png_ptr->pass] - 1 -
1183 png_pass_ystart[png_ptr->pass]) /
1184 png_pass_yinc[png_ptr->pass];
1185
1186 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0);
1187 }
1188 #endif /* READ_INTERLACING */
1189 }
1190
1191 void /* PRIVATE */
png_push_have_info(png_structrp png_ptr,png_inforp info_ptr)1192 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr)
1193 {
1194 if (png_ptr->info_fn != NULL)
1195 (*(png_ptr->info_fn))(png_ptr, info_ptr);
1196 }
1197
1198 void /* PRIVATE */
png_push_have_end(png_structrp png_ptr,png_inforp info_ptr)1199 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr)
1200 {
1201 if (png_ptr->end_fn != NULL)
1202 (*(png_ptr->end_fn))(png_ptr, info_ptr);
1203 }
1204
1205 void /* PRIVATE */
png_push_have_row(png_structrp png_ptr,png_bytep row)1206 png_push_have_row(png_structrp png_ptr, png_bytep row)
1207 {
1208 if (png_ptr->row_fn != NULL)
1209 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number,
1210 (int)png_ptr->pass);
1211 }
1212
1213 #ifdef PNG_READ_INTERLACING_SUPPORTED
1214 void PNGAPI
png_progressive_combine_row(png_const_structrp png_ptr,png_bytep old_row,png_const_bytep new_row)1215 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row,
1216 png_const_bytep new_row)
1217 {
1218 if (png_ptr == NULL)
1219 return;
1220
1221 /* new_row is a flag here - if it is NULL then the app callback was called
1222 * from an empty row (see the calls to png_struct::row_fn below), otherwise
1223 * it must be png_ptr->row_buf+1
1224 */
1225 if (new_row != NULL)
1226 png_combine_row(png_ptr, old_row, 1/*blocky display*/);
1227 }
1228 #endif /* READ_INTERLACING */
1229
1230 void PNGAPI
png_set_progressive_read_fn(png_structrp png_ptr,png_voidp progressive_ptr,png_progressive_info_ptr info_fn,png_progressive_row_ptr row_fn,png_progressive_end_ptr end_fn)1231 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr,
1232 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn,
1233 png_progressive_end_ptr end_fn)
1234 {
1235 if (png_ptr == NULL)
1236 return;
1237
1238 png_ptr->info_fn = info_fn;
1239 png_ptr->row_fn = row_fn;
1240 png_ptr->end_fn = end_fn;
1241
1242 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer);
1243 }
1244
1245 #ifdef PNG_READ_APNG_SUPPORTED
1246 void PNGAPI
png_set_progressive_frame_fn(png_structp png_ptr,png_progressive_frame_ptr frame_info_fn,png_progressive_frame_ptr frame_end_fn)1247 png_set_progressive_frame_fn(png_structp png_ptr,
1248 png_progressive_frame_ptr frame_info_fn,
1249 png_progressive_frame_ptr frame_end_fn)
1250 {
1251 png_ptr->frame_info_fn = frame_info_fn;
1252 png_ptr->frame_end_fn = frame_end_fn;
1253 png_ptr->apng_flags |= PNG_APNG_APP;
1254 }
1255 #endif
1256
1257 png_voidp PNGAPI
png_get_progressive_ptr(png_const_structrp png_ptr)1258 png_get_progressive_ptr(png_const_structrp png_ptr)
1259 {
1260 if (png_ptr == NULL)
1261 return (NULL);
1262
1263 return png_ptr->io_ptr;
1264 }
1265 #endif /* PROGRESSIVE_READ */
1266