1
2 /* png.c - location for general purpose libpng functions
3 *
4 * Copyright (c) 2018-2019 Cosmin Truta
5 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6 * Copyright (c) 1996-1997 Andreas Dilger
7 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14 #include "pngpriv.h"
15
16 /* Generate a compiler error if there is an old png.h in the search path. */
17 typedef png_libpng_version_1_6_37 Your_png_h_is_not_version_1_6_37;
18
19 #ifdef __GNUC__
20 /* The version tests may need to be added to, but the problem warning has
21 * consistently been fixed in GCC versions which obtain wide-spread release.
22 * The problem is that many versions of GCC rearrange comparison expressions in
23 * the optimizer in such a way that the results of the comparison will change
24 * if signed integer overflow occurs. Such comparisons are not permitted in
25 * ANSI C90, however GCC isn't clever enough to work out that that do not occur
26 * below in png_ascii_from_fp and png_muldiv, so it produces a warning with
27 * -Wextra. Unfortunately this is highly dependent on the optimizer and the
28 * machine architecture so the warning comes and goes unpredictably and is
29 * impossible to "fix", even were that a good idea.
30 */
31 #if __GNUC__ == 7 && __GNUC_MINOR__ == 1
32 #define GCC_STRICT_OVERFLOW 1
33 #endif /* GNU 7.1.x */
34 #endif /* GNU */
35 #ifndef GCC_STRICT_OVERFLOW
36 #define GCC_STRICT_OVERFLOW 0
37 #endif
38
39 /* Tells libpng that we have already handled the first "num_bytes" bytes
40 * of the PNG file signature. If the PNG data is embedded into another
41 * stream we can set num_bytes = 8 so that libpng will not attempt to read
42 * or write any of the magic bytes before it starts on the IHDR.
43 */
44
45 #ifdef PNG_READ_SUPPORTED
46 void PNGAPI
png_set_sig_bytes(png_structrp png_ptr,int num_bytes)47 png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
48 {
49 unsigned int nb = (unsigned int)num_bytes;
50
51 png_debug(1, "in png_set_sig_bytes");
52
53 if (png_ptr == NULL)
54 return;
55
56 if (num_bytes < 0)
57 nb = 0;
58
59 if (nb > 8)
60 png_error(png_ptr, "Too many bytes for PNG signature");
61
62 png_ptr->sig_bytes = (png_byte)nb;
63 }
64
65 /* Checks whether the supplied bytes match the PNG signature. We allow
66 * checking less than the full 8-byte signature so that those apps that
67 * already read the first few bytes of a file to determine the file type
68 * can simply check the remaining bytes for extra assurance. Returns
69 * an integer less than, equal to, or greater than zero if sig is found,
70 * respectively, to be less than, to match, or be greater than the correct
71 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
72 */
73 int PNGAPI
png_sig_cmp(png_const_bytep sig,size_t start,size_t num_to_check)74 png_sig_cmp(png_const_bytep sig, size_t start, size_t num_to_check)
75 {
76 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
77
78 if (num_to_check > 8)
79 num_to_check = 8;
80
81 else if (num_to_check < 1)
82 return (-1);
83
84 if (start > 7)
85 return (-1);
86
87 if (start + num_to_check > 8)
88 num_to_check = 8 - start;
89
90 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
91 }
92
93 #endif /* READ */
94
95 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
96 /* Function to allocate memory for zlib */
97 PNG_FUNCTION(voidpf /* PRIVATE */,
98 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
99 {
100 png_alloc_size_t num_bytes = size;
101
102 if (png_ptr == NULL)
103 return NULL;
104
105 if (items >= (~(png_alloc_size_t)0)/size)
106 {
107 png_warning (png_voidcast(png_structrp, png_ptr),
108 "Potential overflow in png_zalloc()");
109 return NULL;
110 }
111
112 num_bytes *= items;
113 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
114 }
115
116 /* Function to free memory for zlib */
117 void /* PRIVATE */
png_zfree(voidpf png_ptr,voidpf ptr)118 png_zfree(voidpf png_ptr, voidpf ptr)
119 {
120 png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
121 }
122
123 /* Reset the CRC variable to 32 bits of 1's. Care must be taken
124 * in case CRC is > 32 bits to leave the top bits 0.
125 */
126 void /* PRIVATE */
png_reset_crc(png_structrp png_ptr)127 png_reset_crc(png_structrp png_ptr)
128 {
129 /* The cast is safe because the crc is a 32-bit value. */
130 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
131 }
132
133 /* Calculate the CRC over a section of data. We can only pass as
134 * much data to this routine as the largest single buffer size. We
135 * also check that this data will actually be used before going to the
136 * trouble of calculating it.
137 */
138 void /* PRIVATE */
png_calculate_crc(png_structrp png_ptr,png_const_bytep ptr,size_t length)139 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, size_t length)
140 {
141 int need_crc = 1;
142
143 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
144 {
145 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
146 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
147 need_crc = 0;
148 }
149
150 else /* critical */
151 {
152 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
153 need_crc = 0;
154 }
155
156 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
157 * systems it is a 64-bit value. crc32, however, returns 32 bits so the
158 * following cast is safe. 'uInt' may be no more than 16 bits, so it is
159 * necessary to perform a loop here.
160 */
161 if (need_crc != 0 && length > 0)
162 {
163 uLong crc = png_ptr->crc; /* Should never issue a warning */
164
165 do
166 {
167 uInt safe_length = (uInt)length;
168 #ifndef __COVERITY__
169 if (safe_length == 0)
170 safe_length = (uInt)-1; /* evil, but safe */
171 #endif
172
173 crc = crc32(crc, ptr, safe_length);
174
175 /* The following should never issue compiler warnings; if they do the
176 * target system has characteristics that will probably violate other
177 * assumptions within the libpng code.
178 */
179 ptr += safe_length;
180 length -= safe_length;
181 }
182 while (length > 0);
183
184 /* And the following is always safe because the crc is only 32 bits. */
185 png_ptr->crc = (png_uint_32)crc;
186 }
187 }
188
189 /* Check a user supplied version number, called from both read and write
190 * functions that create a png_struct.
191 */
192 int
png_user_version_check(png_structrp png_ptr,png_const_charp user_png_ver)193 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
194 {
195 /* Libpng versions 1.0.0 and later are binary compatible if the version
196 * string matches through the second '.'; we must recompile any
197 * applications that use any older library version.
198 */
199
200 if (user_png_ver != NULL)
201 {
202 int i = -1;
203 int found_dots = 0;
204
205 do
206 {
207 i++;
208 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
209 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
210 if (user_png_ver[i] == '.')
211 found_dots++;
212 } while (found_dots < 2 && user_png_ver[i] != 0 &&
213 PNG_LIBPNG_VER_STRING[i] != 0);
214 }
215
216 else
217 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
218
219 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
220 {
221 #ifdef PNG_WARNINGS_SUPPORTED
222 size_t pos = 0;
223 char m[128];
224
225 pos = png_safecat(m, (sizeof m), pos,
226 "Application built with libpng-");
227 pos = png_safecat(m, (sizeof m), pos, user_png_ver);
228 pos = png_safecat(m, (sizeof m), pos, " but running with ");
229 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
230 PNG_UNUSED(pos)
231
232 png_warning(png_ptr, m);
233 #endif
234
235 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
236 png_ptr->flags = 0;
237 #endif
238
239 return 0;
240 }
241
242 /* Success return. */
243 return 1;
244 }
245
246 /* Generic function to create a png_struct for either read or write - this
247 * contains the common initialization.
248 */
249 PNG_FUNCTION(png_structp /* PRIVATE */,
250 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
251 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
252 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
253 {
254 png_struct create_struct;
255 # ifdef PNG_SETJMP_SUPPORTED
256 jmp_buf create_jmp_buf;
257 # endif
258
259 /* This temporary stack-allocated structure is used to provide a place to
260 * build enough context to allow the user provided memory allocator (if any)
261 * to be called.
262 */
263 memset(&create_struct, 0, (sizeof create_struct));
264
265 /* Added at libpng-1.2.6 */
266 # ifdef PNG_USER_LIMITS_SUPPORTED
267 create_struct.user_width_max = PNG_USER_WIDTH_MAX;
268 create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
269
270 # ifdef PNG_USER_CHUNK_CACHE_MAX
271 /* Added at libpng-1.2.43 and 1.4.0 */
272 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
273 # endif
274
275 # ifdef PNG_USER_CHUNK_MALLOC_MAX
276 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
277 * in png_struct regardless.
278 */
279 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
280 # endif
281 # endif
282
283 /* The following two API calls simply set fields in png_struct, so it is safe
284 * to do them now even though error handling is not yet set up.
285 */
286 # ifdef PNG_USER_MEM_SUPPORTED
287 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
288 # else
289 PNG_UNUSED(mem_ptr)
290 PNG_UNUSED(malloc_fn)
291 PNG_UNUSED(free_fn)
292 # endif
293
294 /* (*error_fn) can return control to the caller after the error_ptr is set,
295 * this will result in a memory leak unless the error_fn does something
296 * extremely sophisticated. The design lacks merit but is implicit in the
297 * API.
298 */
299 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
300
301 # ifdef PNG_SETJMP_SUPPORTED
302 if (!setjmp(create_jmp_buf))
303 # endif
304 {
305 # ifdef PNG_SETJMP_SUPPORTED
306 /* Temporarily fake out the longjmp information until we have
307 * successfully completed this function. This only works if we have
308 * setjmp() support compiled in, but it is safe - this stuff should
309 * never happen.
310 */
311 create_struct.jmp_buf_ptr = &create_jmp_buf;
312 create_struct.jmp_buf_size = 0; /*stack allocation*/
313 create_struct.longjmp_fn = longjmp;
314 # endif
315 /* Call the general version checker (shared with read and write code):
316 */
317 if (png_user_version_check(&create_struct, user_png_ver) != 0)
318 {
319 png_structrp png_ptr = png_voidcast(png_structrp,
320 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
321
322 if (png_ptr != NULL)
323 {
324 /* png_ptr->zstream holds a back-pointer to the png_struct, so
325 * this can only be done now:
326 */
327 create_struct.zstream.zalloc = png_zalloc;
328 create_struct.zstream.zfree = png_zfree;
329 create_struct.zstream.opaque = png_ptr;
330
331 # ifdef PNG_SETJMP_SUPPORTED
332 /* Eliminate the local error handling: */
333 create_struct.jmp_buf_ptr = NULL;
334 create_struct.jmp_buf_size = 0;
335 create_struct.longjmp_fn = 0;
336 # endif
337
338 *png_ptr = create_struct;
339
340 /* This is the successful return point */
341 return png_ptr;
342 }
343 }
344 }
345
346 /* A longjmp because of a bug in the application storage allocator or a
347 * simple failure to allocate the png_struct.
348 */
349 return NULL;
350 }
351
352 /* Allocate the memory for an info_struct for the application. */
353 PNG_FUNCTION(png_infop,PNGAPI
354 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
355 {
356 png_inforp info_ptr;
357
358 png_debug(1, "in png_create_info_struct");
359
360 if (png_ptr == NULL)
361 return NULL;
362
363 /* Use the internal API that does not (or at least should not) error out, so
364 * that this call always returns ok. The application typically sets up the
365 * error handling *after* creating the info_struct because this is the way it
366 * has always been done in 'example.c'.
367 */
368 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
369 (sizeof *info_ptr)));
370
371 if (info_ptr != NULL)
372 memset(info_ptr, 0, (sizeof *info_ptr));
373
374 return info_ptr;
375 }
376
377 /* This function frees the memory associated with a single info struct.
378 * Normally, one would use either png_destroy_read_struct() or
379 * png_destroy_write_struct() to free an info struct, but this may be
380 * useful for some applications. From libpng 1.6.0 this function is also used
381 * internally to implement the png_info release part of the 'struct' destroy
382 * APIs. This ensures that all possible approaches free the same data (all of
383 * it).
384 */
385 void PNGAPI
png_destroy_info_struct(png_const_structrp png_ptr,png_infopp info_ptr_ptr)386 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
387 {
388 png_inforp info_ptr = NULL;
389
390 png_debug(1, "in png_destroy_info_struct");
391
392 if (png_ptr == NULL)
393 return;
394
395 if (info_ptr_ptr != NULL)
396 info_ptr = *info_ptr_ptr;
397
398 if (info_ptr != NULL)
399 {
400 /* Do this first in case of an error below; if the app implements its own
401 * memory management this can lead to png_free calling png_error, which
402 * will abort this routine and return control to the app error handler.
403 * An infinite loop may result if it then tries to free the same info
404 * ptr.
405 */
406 *info_ptr_ptr = NULL;
407
408 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
409 memset(info_ptr, 0, (sizeof *info_ptr));
410 png_free(png_ptr, info_ptr);
411 }
412 }
413
414 /* Initialize the info structure. This is now an internal function (0.89)
415 * and applications using it are urged to use png_create_info_struct()
416 * instead. Use deprecated in 1.6.0, internal use removed (used internally it
417 * is just a memset).
418 *
419 * NOTE: it is almost inconceivable that this API is used because it bypasses
420 * the user-memory mechanism and the user error handling/warning mechanisms in
421 * those cases where it does anything other than a memset.
422 */
423 PNG_FUNCTION(void,PNGAPI
424 png_info_init_3,(png_infopp ptr_ptr, size_t png_info_struct_size),
425 PNG_DEPRECATED)
426 {
427 png_inforp info_ptr = *ptr_ptr;
428
429 png_debug(1, "in png_info_init_3");
430
431 if (info_ptr == NULL)
432 return;
433
434 if ((sizeof (png_info)) > png_info_struct_size)
435 {
436 *ptr_ptr = NULL;
437 /* The following line is why this API should not be used: */
438 free(info_ptr);
439 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
440 (sizeof *info_ptr)));
441 if (info_ptr == NULL)
442 return;
443 *ptr_ptr = info_ptr;
444 }
445
446 /* Set everything to 0 */
447 memset(info_ptr, 0, (sizeof *info_ptr));
448 }
449
450 /* The following API is not called internally */
451 void PNGAPI
png_data_freer(png_const_structrp png_ptr,png_inforp info_ptr,int freer,png_uint_32 mask)452 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
453 int freer, png_uint_32 mask)
454 {
455 png_debug(1, "in png_data_freer");
456
457 if (png_ptr == NULL || info_ptr == NULL)
458 return;
459
460 if (freer == PNG_DESTROY_WILL_FREE_DATA)
461 info_ptr->free_me |= mask;
462
463 else if (freer == PNG_USER_WILL_FREE_DATA)
464 info_ptr->free_me &= ~mask;
465
466 else
467 png_error(png_ptr, "Unknown freer parameter in png_data_freer");
468 }
469
470 void PNGAPI
png_free_data(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 mask,int num)471 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
472 int num)
473 {
474 png_debug(1, "in png_free_data");
475
476 if (png_ptr == NULL || info_ptr == NULL)
477 return;
478
479 #ifdef PNG_TEXT_SUPPORTED
480 /* Free text item num or (if num == -1) all text items */
481 if (info_ptr->text != NULL &&
482 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
483 {
484 if (num != -1)
485 {
486 png_free(png_ptr, info_ptr->text[num].key);
487 info_ptr->text[num].key = NULL;
488 }
489
490 else
491 {
492 int i;
493
494 for (i = 0; i < info_ptr->num_text; i++)
495 png_free(png_ptr, info_ptr->text[i].key);
496
497 png_free(png_ptr, info_ptr->text);
498 info_ptr->text = NULL;
499 info_ptr->num_text = 0;
500 info_ptr->max_text = 0;
501 }
502 }
503 #endif
504
505 #ifdef PNG_tRNS_SUPPORTED
506 /* Free any tRNS entry */
507 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
508 {
509 info_ptr->valid &= ~PNG_INFO_tRNS;
510 png_free(png_ptr, info_ptr->trans_alpha);
511 info_ptr->trans_alpha = NULL;
512 info_ptr->num_trans = 0;
513 }
514 #endif
515
516 #ifdef PNG_sCAL_SUPPORTED
517 /* Free any sCAL entry */
518 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
519 {
520 png_free(png_ptr, info_ptr->scal_s_width);
521 png_free(png_ptr, info_ptr->scal_s_height);
522 info_ptr->scal_s_width = NULL;
523 info_ptr->scal_s_height = NULL;
524 info_ptr->valid &= ~PNG_INFO_sCAL;
525 }
526 #endif
527
528 #ifdef PNG_pCAL_SUPPORTED
529 /* Free any pCAL entry */
530 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
531 {
532 png_free(png_ptr, info_ptr->pcal_purpose);
533 png_free(png_ptr, info_ptr->pcal_units);
534 info_ptr->pcal_purpose = NULL;
535 info_ptr->pcal_units = NULL;
536
537 if (info_ptr->pcal_params != NULL)
538 {
539 int i;
540
541 for (i = 0; i < info_ptr->pcal_nparams; i++)
542 png_free(png_ptr, info_ptr->pcal_params[i]);
543
544 png_free(png_ptr, info_ptr->pcal_params);
545 info_ptr->pcal_params = NULL;
546 }
547 info_ptr->valid &= ~PNG_INFO_pCAL;
548 }
549 #endif
550
551 #ifdef PNG_iCCP_SUPPORTED
552 /* Free any profile entry */
553 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
554 {
555 png_free(png_ptr, info_ptr->iccp_name);
556 png_free(png_ptr, info_ptr->iccp_profile);
557 info_ptr->iccp_name = NULL;
558 info_ptr->iccp_profile = NULL;
559 info_ptr->valid &= ~PNG_INFO_iCCP;
560 }
561 #endif
562
563 #ifdef PNG_sPLT_SUPPORTED
564 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
565 if (info_ptr->splt_palettes != NULL &&
566 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
567 {
568 if (num != -1)
569 {
570 png_free(png_ptr, info_ptr->splt_palettes[num].name);
571 png_free(png_ptr, info_ptr->splt_palettes[num].entries);
572 info_ptr->splt_palettes[num].name = NULL;
573 info_ptr->splt_palettes[num].entries = NULL;
574 }
575
576 else
577 {
578 int i;
579
580 for (i = 0; i < info_ptr->splt_palettes_num; i++)
581 {
582 png_free(png_ptr, info_ptr->splt_palettes[i].name);
583 png_free(png_ptr, info_ptr->splt_palettes[i].entries);
584 }
585
586 png_free(png_ptr, info_ptr->splt_palettes);
587 info_ptr->splt_palettes = NULL;
588 info_ptr->splt_palettes_num = 0;
589 info_ptr->valid &= ~PNG_INFO_sPLT;
590 }
591 }
592 #endif
593
594 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
595 if (info_ptr->unknown_chunks != NULL &&
596 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
597 {
598 if (num != -1)
599 {
600 png_free(png_ptr, info_ptr->unknown_chunks[num].data);
601 info_ptr->unknown_chunks[num].data = NULL;
602 }
603
604 else
605 {
606 int i;
607
608 for (i = 0; i < info_ptr->unknown_chunks_num; i++)
609 png_free(png_ptr, info_ptr->unknown_chunks[i].data);
610
611 png_free(png_ptr, info_ptr->unknown_chunks);
612 info_ptr->unknown_chunks = NULL;
613 info_ptr->unknown_chunks_num = 0;
614 }
615 }
616 #endif
617
618 #ifdef PNG_eXIf_SUPPORTED
619 /* Free any eXIf entry */
620 if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
621 {
622 # ifdef PNG_READ_eXIf_SUPPORTED
623 if (info_ptr->eXIf_buf)
624 {
625 png_free(png_ptr, info_ptr->eXIf_buf);
626 info_ptr->eXIf_buf = NULL;
627 }
628 # endif
629 if (info_ptr->exif)
630 {
631 png_free(png_ptr, info_ptr->exif);
632 info_ptr->exif = NULL;
633 }
634 info_ptr->valid &= ~PNG_INFO_eXIf;
635 }
636 #endif
637
638 #ifdef PNG_hIST_SUPPORTED
639 /* Free any hIST entry */
640 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
641 {
642 png_free(png_ptr, info_ptr->hist);
643 info_ptr->hist = NULL;
644 info_ptr->valid &= ~PNG_INFO_hIST;
645 }
646 #endif
647
648 /* Free any PLTE entry that was internally allocated */
649 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
650 {
651 png_free(png_ptr, info_ptr->palette);
652 info_ptr->palette = NULL;
653 info_ptr->valid &= ~PNG_INFO_PLTE;
654 info_ptr->num_palette = 0;
655 }
656
657 #ifdef PNG_INFO_IMAGE_SUPPORTED
658 /* Free any image bits attached to the info structure */
659 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
660 {
661 if (info_ptr->row_pointers != NULL)
662 {
663 png_uint_32 row;
664 for (row = 0; row < info_ptr->height; row++)
665 png_free(png_ptr, info_ptr->row_pointers[row]);
666
667 png_free(png_ptr, info_ptr->row_pointers);
668 info_ptr->row_pointers = NULL;
669 }
670 info_ptr->valid &= ~PNG_INFO_IDAT;
671 }
672 #endif
673
674 if (num != -1)
675 mask &= ~PNG_FREE_MUL;
676
677 info_ptr->free_me &= ~mask;
678 }
679 #endif /* READ || WRITE */
680
681 /* This function returns a pointer to the io_ptr associated with the user
682 * functions. The application should free any memory associated with this
683 * pointer before png_write_destroy() or png_read_destroy() are called.
684 */
685 png_voidp PNGAPI
png_get_io_ptr(png_const_structrp png_ptr)686 png_get_io_ptr(png_const_structrp png_ptr)
687 {
688 if (png_ptr == NULL)
689 return (NULL);
690
691 return (png_ptr->io_ptr);
692 }
693
694 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
695 # ifdef PNG_STDIO_SUPPORTED
696 /* Initialize the default input/output functions for the PNG file. If you
697 * use your own read or write routines, you can call either png_set_read_fn()
698 * or png_set_write_fn() instead of png_init_io(). If you have defined
699 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
700 * function of your own because "FILE *" isn't necessarily available.
701 */
702 void PNGAPI
png_init_io(png_structrp png_ptr,png_FILE_p fp)703 png_init_io(png_structrp png_ptr, png_FILE_p fp)
704 {
705 png_debug(1, "in png_init_io");
706
707 if (png_ptr == NULL)
708 return;
709
710 png_ptr->io_ptr = (png_voidp)fp;
711 }
712 # endif
713
714 # ifdef PNG_SAVE_INT_32_SUPPORTED
715 /* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90
716 * defines a cast of a signed integer to an unsigned integer either to preserve
717 * the value, if it is positive, or to calculate:
718 *
719 * (UNSIGNED_MAX+1) + integer
720 *
721 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
722 * negative integral value is added the result will be an unsigned value
723 * correspnding to the 2's complement representation.
724 */
725 void PNGAPI
png_save_int_32(png_bytep buf,png_int_32 i)726 png_save_int_32(png_bytep buf, png_int_32 i)
727 {
728 png_save_uint_32(buf, (png_uint_32)i);
729 }
730 # endif
731
732 # ifdef PNG_TIME_RFC1123_SUPPORTED
733 /* Convert the supplied time into an RFC 1123 string suitable for use in
734 * a "Creation Time" or other text-based time string.
735 */
736 int PNGAPI
png_convert_to_rfc1123_buffer(char out[29],png_const_timep ptime)737 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
738 {
739 static const char short_months[12][4] =
740 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
741 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
742
743 if (out == NULL)
744 return 0;
745
746 if (ptime->year > 9999 /* RFC1123 limitation */ ||
747 ptime->month == 0 || ptime->month > 12 ||
748 ptime->day == 0 || ptime->day > 31 ||
749 ptime->hour > 23 || ptime->minute > 59 ||
750 ptime->second > 60)
751 return 0;
752
753 {
754 size_t pos = 0;
755 char number_buf[5]; /* enough for a four-digit year */
756
757 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
758 # define APPEND_NUMBER(format, value)\
759 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
760 # define APPEND(ch) if (pos < 28) out[pos++] = (ch)
761
762 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
763 APPEND(' ');
764 APPEND_STRING(short_months[(ptime->month - 1)]);
765 APPEND(' ');
766 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
767 APPEND(' ');
768 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
769 APPEND(':');
770 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
771 APPEND(':');
772 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
773 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
774 PNG_UNUSED (pos)
775
776 # undef APPEND
777 # undef APPEND_NUMBER
778 # undef APPEND_STRING
779 }
780
781 return 1;
782 }
783
784 # if PNG_LIBPNG_VER < 10700
785 /* To do: remove the following from libpng-1.7 */
786 /* Original API that uses a private buffer in png_struct.
787 * Deprecated because it causes png_struct to carry a spurious temporary
788 * buffer (png_struct::time_buffer), better to have the caller pass this in.
789 */
790 png_const_charp PNGAPI
png_convert_to_rfc1123(png_structrp png_ptr,png_const_timep ptime)791 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
792 {
793 if (png_ptr != NULL)
794 {
795 /* The only failure above if png_ptr != NULL is from an invalid ptime */
796 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
797 png_warning(png_ptr, "Ignoring invalid time value");
798
799 else
800 return png_ptr->time_buffer;
801 }
802
803 return NULL;
804 }
805 # endif /* LIBPNG_VER < 10700 */
806 # endif /* TIME_RFC1123 */
807
808 #endif /* READ || WRITE */
809
810 png_const_charp PNGAPI
png_get_copyright(png_const_structrp png_ptr)811 png_get_copyright(png_const_structrp png_ptr)
812 {
813 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
814 #ifdef PNG_STRING_COPYRIGHT
815 return PNG_STRING_COPYRIGHT
816 #else
817 return PNG_STRING_NEWLINE \
818 "libpng version 1.6.37" PNG_STRING_NEWLINE \
819 "Copyright (c) 2018-2019 Cosmin Truta" PNG_STRING_NEWLINE \
820 "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
821 PNG_STRING_NEWLINE \
822 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
823 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
824 PNG_STRING_NEWLINE;
825 #endif
826 }
827
828 /* The following return the library version as a short string in the
829 * format 1.0.0 through 99.99.99zz. To get the version of *.h files
830 * used with your application, print out PNG_LIBPNG_VER_STRING, which
831 * is defined in png.h.
832 * Note: now there is no difference between png_get_libpng_ver() and
833 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
834 * it is guaranteed that png.c uses the correct version of png.h.
835 */
836 png_const_charp PNGAPI
837 png_get_libpng_ver(png_const_structrp png_ptr)
838 {
839 /* Version of *.c files used when building libpng */
840 return png_get_header_ver(png_ptr);
841 }
842
843 png_const_charp PNGAPI
844 png_get_header_ver(png_const_structrp png_ptr)
845 {
846 /* Version of *.h files used when building libpng */
847 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
848 return PNG_LIBPNG_VER_STRING;
849 }
850
851 png_const_charp PNGAPI
852 png_get_header_version(png_const_structrp png_ptr)
853 {
854 /* Returns longer string containing both version and date */
855 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
856 #ifdef __STDC__
857 return PNG_HEADER_VERSION_STRING
858 # ifndef PNG_READ_SUPPORTED
859 " (NO READ SUPPORT)"
860 # endif
861 PNG_STRING_NEWLINE;
862 #else
863 return PNG_HEADER_VERSION_STRING;
864 #endif
865 }
866
867 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
868 /* NOTE: this routine is not used internally! */
869 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth
870 * large of png_color. This lets grayscale images be treated as
871 * paletted. Most useful for gamma correction and simplification
872 * of code. This API is not used internally.
873 */
874 void PNGAPI
875 png_build_grayscale_palette(int bit_depth, png_colorp palette)
876 {
877 int num_palette;
878 int color_inc;
879 int i;
880 int v;
881
882 png_debug(1, "in png_do_build_grayscale_palette");
883
884 if (palette == NULL)
885 return;
886
887 switch (bit_depth)
888 {
889 case 1:
890 num_palette = 2;
891 color_inc = 0xff;
892 break;
893
894 case 2:
895 num_palette = 4;
896 color_inc = 0x55;
897 break;
898
899 case 4:
900 num_palette = 16;
901 color_inc = 0x11;
902 break;
903
904 case 8:
905 num_palette = 256;
906 color_inc = 1;
907 break;
908
909 default:
910 num_palette = 0;
911 color_inc = 0;
912 break;
913 }
914
915 for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
916 {
917 palette[i].red = (png_byte)(v & 0xff);
918 palette[i].green = (png_byte)(v & 0xff);
919 palette[i].blue = (png_byte)(v & 0xff);
920 }
921 }
922 #endif
923
924 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
925 int PNGAPI
926 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
927 {
928 /* Check chunk_name and return "keep" value if it's on the list, else 0 */
929 png_const_bytep p, p_end;
930
931 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
932 return PNG_HANDLE_CHUNK_AS_DEFAULT;
933
934 p_end = png_ptr->chunk_list;
935 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
936
937 /* The code is the fifth byte after each four byte string. Historically this
938 * code was always searched from the end of the list, this is no longer
939 * necessary because the 'set' routine handles duplicate entries correctly.
940 */
941 do /* num_chunk_list > 0, so at least one */
942 {
943 p -= 5;
944
945 if (memcmp(chunk_name, p, 4) == 0)
946 return p[4];
947 }
948 while (p > p_end);
949
950 /* This means that known chunks should be processed and unknown chunks should
951 * be handled according to the value of png_ptr->unknown_default; this can be
952 * confusing because, as a result, there are two levels of defaulting for
953 * unknown chunks.
954 */
955 return PNG_HANDLE_CHUNK_AS_DEFAULT;
956 }
957
958 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
959 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
960 int /* PRIVATE */
961 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
962 {
963 png_byte chunk_string[5];
964
965 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
966 return png_handle_as_unknown(png_ptr, chunk_string);
967 }
968 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
969 #endif /* SET_UNKNOWN_CHUNKS */
970
971 #ifdef PNG_READ_SUPPORTED
972 /* This function, added to libpng-1.0.6g, is untested. */
973 int PNGAPI
974 png_reset_zstream(png_structrp png_ptr)
975 {
976 if (png_ptr == NULL)
977 return Z_STREAM_ERROR;
978
979 /* WARNING: this resets the window bits to the maximum! */
980 return (inflateReset(&png_ptr->zstream));
981 }
982 #endif /* READ */
983
984 /* This function was added to libpng-1.0.7 */
985 png_uint_32 PNGAPI
986 png_access_version_number(void)
987 {
988 /* Version of *.c files used when building libpng */
989 return((png_uint_32)PNG_LIBPNG_VER);
990 }
991
992 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
993 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
994 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
995 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
996 */
997 void /* PRIVATE */
998 png_zstream_error(png_structrp png_ptr, int ret)
999 {
1000 /* Translate 'ret' into an appropriate error string, priority is given to the
1001 * one in zstream if set. This always returns a string, even in cases like
1002 * Z_OK or Z_STREAM_END where the error code is a success code.
1003 */
1004 if (png_ptr->zstream.msg == NULL) switch (ret)
1005 {
1006 default:
1007 case Z_OK:
1008 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
1009 break;
1010
1011 case Z_STREAM_END:
1012 /* Normal exit */
1013 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
1014 break;
1015
1016 case Z_NEED_DICT:
1017 /* This means the deflate stream did not have a dictionary; this
1018 * indicates a bogus PNG.
1019 */
1020 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1021 break;
1022
1023 case Z_ERRNO:
1024 /* gz APIs only: should not happen */
1025 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1026 break;
1027
1028 case Z_STREAM_ERROR:
1029 /* internal libpng error */
1030 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1031 break;
1032
1033 case Z_DATA_ERROR:
1034 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1035 break;
1036
1037 case Z_MEM_ERROR:
1038 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1039 break;
1040
1041 case Z_BUF_ERROR:
1042 /* End of input or output; not a problem if the caller is doing
1043 * incremental read or write.
1044 */
1045 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1046 break;
1047
1048 case Z_VERSION_ERROR:
1049 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1050 break;
1051
1052 case PNG_UNEXPECTED_ZLIB_RETURN:
1053 /* Compile errors here mean that zlib now uses the value co-opted in
1054 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1055 * and change pngpriv.h. Note that this message is "... return",
1056 * whereas the default/Z_OK one is "... return code".
1057 */
1058 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1059 break;
1060 }
1061 }
1062
1063 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1064 * at libpng 1.5.5!
1065 */
1066
1067 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1068 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1069 static int
1070 png_colorspace_check_gamma(png_const_structrp png_ptr,
1071 png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1072 /* This is called to check a new gamma value against an existing one. The
1073 * routine returns false if the new gamma value should not be written.
1074 *
1075 * 'from' says where the new gamma value comes from:
1076 *
1077 * 0: the new gamma value is the libpng estimate for an ICC profile
1078 * 1: the new gamma value comes from a gAMA chunk
1079 * 2: the new gamma value comes from an sRGB chunk
1080 */
1081 {
1082 png_fixed_point gtest;
1083
1084 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1085 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 ||
1086 png_gamma_significant(gtest) != 0))
1087 {
1088 /* Either this is an sRGB image, in which case the calculated gamma
1089 * approximation should match, or this is an image with a profile and the
1090 * value libpng calculates for the gamma of the profile does not match the
1091 * value recorded in the file. The former, sRGB, case is an error, the
1092 * latter is just a warning.
1093 */
1094 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1095 {
1096 png_chunk_report(png_ptr, "gamma value does not match sRGB",
1097 PNG_CHUNK_ERROR);
1098 /* Do not overwrite an sRGB value */
1099 return from == 2;
1100 }
1101
1102 else /* sRGB tag not involved */
1103 {
1104 png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1105 PNG_CHUNK_WARNING);
1106 return from == 1;
1107 }
1108 }
1109
1110 return 1;
1111 }
1112
1113 void /* PRIVATE */
1114 png_colorspace_set_gamma(png_const_structrp png_ptr,
1115 png_colorspacerp colorspace, png_fixed_point gAMA)
1116 {
1117 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1118 * occur. Since the fixed point representation is asymmetrical it is
1119 * possible for 1/gamma to overflow the limit of 21474 and this means the
1120 * gamma value must be at least 5/100000 and hence at most 20000.0. For
1121 * safety the limits here are a little narrower. The values are 0.00016 to
1122 * 6250.0, which are truly ridiculous gamma values (and will produce
1123 * displays that are all black or all white.)
1124 *
1125 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1126 * handling code, which only required the value to be >0.
1127 */
1128 png_const_charp errmsg;
1129
1130 if (gAMA < 16 || gAMA > 625000000)
1131 errmsg = "gamma value out of range";
1132
1133 # ifdef PNG_READ_gAMA_SUPPORTED
1134 /* Allow the application to set the gamma value more than once */
1135 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1136 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1137 errmsg = "duplicate";
1138 # endif
1139
1140 /* Do nothing if the colorspace is already invalid */
1141 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1142 return;
1143
1144 else
1145 {
1146 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1147 1/*from gAMA*/) != 0)
1148 {
1149 /* Store this gamma value. */
1150 colorspace->gamma = gAMA;
1151 colorspace->flags |=
1152 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1153 }
1154
1155 /* At present if the check_gamma test fails the gamma of the colorspace is
1156 * not updated however the colorspace is not invalidated. This
1157 * corresponds to the case where the existing gamma comes from an sRGB
1158 * chunk or profile. An error message has already been output.
1159 */
1160 return;
1161 }
1162
1163 /* Error exit - errmsg has been set. */
1164 colorspace->flags |= PNG_COLORSPACE_INVALID;
1165 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1166 }
1167
1168 void /* PRIVATE */
1169 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1170 {
1171 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1172 {
1173 /* Everything is invalid */
1174 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1175 PNG_INFO_iCCP);
1176
1177 # ifdef PNG_COLORSPACE_SUPPORTED
1178 /* Clean up the iCCP profile now if it won't be used. */
1179 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1180 # else
1181 PNG_UNUSED(png_ptr)
1182 # endif
1183 }
1184
1185 else
1186 {
1187 # ifdef PNG_COLORSPACE_SUPPORTED
1188 /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1189 * it; this allows a PNG to contain a profile which matches sRGB and
1190 * yet still have that profile retrievable by the application.
1191 */
1192 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1193 info_ptr->valid |= PNG_INFO_sRGB;
1194
1195 else
1196 info_ptr->valid &= ~PNG_INFO_sRGB;
1197
1198 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1199 info_ptr->valid |= PNG_INFO_cHRM;
1200
1201 else
1202 info_ptr->valid &= ~PNG_INFO_cHRM;
1203 # endif
1204
1205 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1206 info_ptr->valid |= PNG_INFO_gAMA;
1207
1208 else
1209 info_ptr->valid &= ~PNG_INFO_gAMA;
1210 }
1211 }
1212
1213 #ifdef PNG_READ_SUPPORTED
1214 void /* PRIVATE */
1215 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1216 {
1217 if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1218 return;
1219
1220 info_ptr->colorspace = png_ptr->colorspace;
1221 png_colorspace_sync_info(png_ptr, info_ptr);
1222 }
1223 #endif
1224 #endif /* GAMMA */
1225
1226 #ifdef PNG_COLORSPACE_SUPPORTED
1227 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1228 * cHRM, as opposed to using chromaticities. These internal APIs return
1229 * non-zero on a parameter error. The X, Y and Z values are required to be
1230 * positive and less than 1.0.
1231 */
1232 static int
1233 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1234 {
1235 png_int_32 d, dwhite, whiteX, whiteY;
1236
1237 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1238 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1239 return 1;
1240 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1241 return 1;
1242 dwhite = d;
1243 whiteX = XYZ->red_X;
1244 whiteY = XYZ->red_Y;
1245
1246 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1247 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1248 return 1;
1249 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1250 return 1;
1251 dwhite += d;
1252 whiteX += XYZ->green_X;
1253 whiteY += XYZ->green_Y;
1254
1255 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1256 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1257 return 1;
1258 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1259 return 1;
1260 dwhite += d;
1261 whiteX += XYZ->blue_X;
1262 whiteY += XYZ->blue_Y;
1263
1264 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1265 * thus:
1266 */
1267 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1268 return 1;
1269 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1270 return 1;
1271
1272 return 0;
1273 }
1274
1275 static int
1276 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1277 {
1278 png_fixed_point red_inverse, green_inverse, blue_scale;
1279 png_fixed_point left, right, denominator;
1280
1281 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically
1282 * have end points with 0 tristimulus values (these are impossible end
1283 * points, but they are used to cover the possible colors). We check
1284 * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1285 */
1286 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;
1287 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1288 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1289 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1290 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;
1291 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1292 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1293 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1294
1295 /* The reverse calculation is more difficult because the original tristimulus
1296 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1297 * derived values were recorded in the cHRM chunk;
1298 * (red,green,blue,white)x(x,y). This loses one degree of freedom and
1299 * therefore an arbitrary ninth value has to be introduced to undo the
1300 * original transformations.
1301 *
1302 * Think of the original end-points as points in (X,Y,Z) space. The
1303 * chromaticity values (c) have the property:
1304 *
1305 * C
1306 * c = ---------
1307 * X + Y + Z
1308 *
1309 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1310 * three chromaticity values (x,y,z) for each end-point obey the
1311 * relationship:
1312 *
1313 * x + y + z = 1
1314 *
1315 * This describes the plane in (X,Y,Z) space that intersects each axis at the
1316 * value 1.0; call this the chromaticity plane. Thus the chromaticity
1317 * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1318 * and chromaticity is the intersection of the vector from the origin to the
1319 * (X,Y,Z) value with the chromaticity plane.
1320 *
1321 * To fully invert the chromaticity calculation we would need the three
1322 * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1323 * were not recorded. Instead we calculated the reference white (X,Y,Z) and
1324 * recorded the chromaticity of this. The reference white (X,Y,Z) would have
1325 * given all three of the scale factors since:
1326 *
1327 * color-C = color-c * color-scale
1328 * white-C = red-C + green-C + blue-C
1329 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1330 *
1331 * But cHRM records only white-x and white-y, so we have lost the white scale
1332 * factor:
1333 *
1334 * white-C = white-c*white-scale
1335 *
1336 * To handle this the inverse transformation makes an arbitrary assumption
1337 * about white-scale:
1338 *
1339 * Assume: white-Y = 1.0
1340 * Hence: white-scale = 1/white-y
1341 * Or: red-Y + green-Y + blue-Y = 1.0
1342 *
1343 * Notice the last statement of the assumption gives an equation in three of
1344 * the nine values we want to calculate. 8 more equations come from the
1345 * above routine as summarised at the top above (the chromaticity
1346 * calculation):
1347 *
1348 * Given: color-x = color-X / (color-X + color-Y + color-Z)
1349 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1350 *
1351 * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1352 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1353 * determinants, however this is not as bad as it seems because only 28 of
1354 * the total of 90 terms in the various matrices are non-zero. Nevertheless
1355 * Cramer's rule is notoriously numerically unstable because the determinant
1356 * calculation involves the difference of large, but similar, numbers. It is
1357 * difficult to be sure that the calculation is stable for real world values
1358 * and it is certain that it becomes unstable where the end points are close
1359 * together.
1360 *
1361 * So this code uses the perhaps slightly less optimal but more
1362 * understandable and totally obvious approach of calculating color-scale.
1363 *
1364 * This algorithm depends on the precision in white-scale and that is
1365 * (1/white-y), so we can immediately see that as white-y approaches 0 the
1366 * accuracy inherent in the cHRM chunk drops off substantially.
1367 *
1368 * libpng arithmetic: a simple inversion of the above equations
1369 * ------------------------------------------------------------
1370 *
1371 * white_scale = 1/white-y
1372 * white-X = white-x * white-scale
1373 * white-Y = 1.0
1374 * white-Z = (1 - white-x - white-y) * white_scale
1375 *
1376 * white-C = red-C + green-C + blue-C
1377 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1378 *
1379 * This gives us three equations in (red-scale,green-scale,blue-scale) where
1380 * all the coefficients are now known:
1381 *
1382 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1383 * = white-x/white-y
1384 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1385 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1386 * = (1 - white-x - white-y)/white-y
1387 *
1388 * In the last equation color-z is (1 - color-x - color-y) so we can add all
1389 * three equations together to get an alternative third:
1390 *
1391 * red-scale + green-scale + blue-scale = 1/white-y = white-scale
1392 *
1393 * So now we have a Cramer's rule solution where the determinants are just
1394 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1395 * multiplication of three coefficients so we can't guarantee to avoid
1396 * overflow in the libpng fixed point representation. Using Cramer's rule in
1397 * floating point is probably a good choice here, but it's not an option for
1398 * fixed point. Instead proceed to simplify the first two equations by
1399 * eliminating what is likely to be the largest value, blue-scale:
1400 *
1401 * blue-scale = white-scale - red-scale - green-scale
1402 *
1403 * Hence:
1404 *
1405 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1406 * (white-x - blue-x)*white-scale
1407 *
1408 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1409 * 1 - blue-y*white-scale
1410 *
1411 * And now we can trivially solve for (red-scale,green-scale):
1412 *
1413 * green-scale =
1414 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1415 * -----------------------------------------------------------
1416 * green-x - blue-x
1417 *
1418 * red-scale =
1419 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1420 * ---------------------------------------------------------
1421 * red-y - blue-y
1422 *
1423 * Hence:
1424 *
1425 * red-scale =
1426 * ( (green-x - blue-x) * (white-y - blue-y) -
1427 * (green-y - blue-y) * (white-x - blue-x) ) / white-y
1428 * -------------------------------------------------------------------------
1429 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1430 *
1431 * green-scale =
1432 * ( (red-y - blue-y) * (white-x - blue-x) -
1433 * (red-x - blue-x) * (white-y - blue-y) ) / white-y
1434 * -------------------------------------------------------------------------
1435 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1436 *
1437 * Accuracy:
1438 * The input values have 5 decimal digits of accuracy. The values are all in
1439 * the range 0 < value < 1, so simple products are in the same range but may
1440 * need up to 10 decimal digits to preserve the original precision and avoid
1441 * underflow. Because we are using a 32-bit signed representation we cannot
1442 * match this; the best is a little over 9 decimal digits, less than 10.
1443 *
1444 * The approach used here is to preserve the maximum precision within the
1445 * signed representation. Because the red-scale calculation above uses the
1446 * difference between two products of values that must be in the range -1..+1
1447 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The
1448 * factor is irrelevant in the calculation because it is applied to both
1449 * numerator and denominator.
1450 *
1451 * Note that the values of the differences of the products of the
1452 * chromaticities in the above equations tend to be small, for example for
1453 * the sRGB chromaticities they are:
1454 *
1455 * red numerator: -0.04751
1456 * green numerator: -0.08788
1457 * denominator: -0.2241 (without white-y multiplication)
1458 *
1459 * The resultant Y coefficients from the chromaticities of some widely used
1460 * color space definitions are (to 15 decimal places):
1461 *
1462 * sRGB
1463 * 0.212639005871510 0.715168678767756 0.072192315360734
1464 * Kodak ProPhoto
1465 * 0.288071128229293 0.711843217810102 0.000085653960605
1466 * Adobe RGB
1467 * 0.297344975250536 0.627363566255466 0.075291458493998
1468 * Adobe Wide Gamut RGB
1469 * 0.258728243040113 0.724682314948566 0.016589442011321
1470 */
1471 /* By the argument, above overflow should be impossible here. The return
1472 * value of 2 indicates an internal error to the caller.
1473 */
1474 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1475 return 2;
1476 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1477 return 2;
1478 denominator = left - right;
1479
1480 /* Now find the red numerator. */
1481 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1482 return 2;
1483 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1484 return 2;
1485
1486 /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1487 * chunk values. This calculation actually returns the reciprocal of the
1488 * scale value because this allows us to delay the multiplication of white-y
1489 * into the denominator, which tends to produce a small number.
1490 */
1491 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1492 red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1493 return 1;
1494
1495 /* Similarly for green_inverse: */
1496 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1497 return 2;
1498 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1499 return 2;
1500 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1501 green_inverse <= xy->whitey)
1502 return 1;
1503
1504 /* And the blue scale, the checks above guarantee this can't overflow but it
1505 * can still produce 0 for extreme cHRM values.
1506 */
1507 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1508 png_reciprocal(green_inverse);
1509 if (blue_scale <= 0)
1510 return 1;
1511
1512
1513 /* And fill in the png_XYZ: */
1514 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1515 return 1;
1516 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1517 return 1;
1518 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1519 red_inverse) == 0)
1520 return 1;
1521
1522 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1523 return 1;
1524 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1525 return 1;
1526 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1527 green_inverse) == 0)
1528 return 1;
1529
1530 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1531 return 1;
1532 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1533 return 1;
1534 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1535 PNG_FP_1) == 0)
1536 return 1;
1537
1538 return 0; /*success*/
1539 }
1540
1541 static int
1542 png_XYZ_normalize(png_XYZ *XYZ)
1543 {
1544 png_int_32 Y;
1545
1546 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1547 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1548 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1549 return 1;
1550
1551 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1552 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1553 * relying on addition of two positive values producing a negative one is not
1554 * safe.
1555 */
1556 Y = XYZ->red_Y;
1557 if (0x7fffffff - Y < XYZ->green_X)
1558 return 1;
1559 Y += XYZ->green_Y;
1560 if (0x7fffffff - Y < XYZ->blue_X)
1561 return 1;
1562 Y += XYZ->blue_Y;
1563
1564 if (Y != PNG_FP_1)
1565 {
1566 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1567 return 1;
1568 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1569 return 1;
1570 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1571 return 1;
1572
1573 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1574 return 1;
1575 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1576 return 1;
1577 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1578 return 1;
1579
1580 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1581 return 1;
1582 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1583 return 1;
1584 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1585 return 1;
1586 }
1587
1588 return 0;
1589 }
1590
1591 static int
1592 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1593 {
1594 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1595 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1596 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1597 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) ||
1598 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) ||
1599 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1600 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1601 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) ||
1602 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta))
1603 return 0;
1604 return 1;
1605 }
1606
1607 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1608 * chunk chromaticities. Earlier checks used to simply look for the overflow
1609 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1610 * because the chromaticity values are not all distinct.) Despite this it is
1611 * theoretically possible to produce chromaticities that are apparently valid
1612 * but that rapidly degrade to invalid, potentially crashing, sets because of
1613 * arithmetic inaccuracies when calculations are performed on them. The new
1614 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1615 * within a small percentage of the original.
1616 */
1617 static int
1618 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1619 {
1620 int result;
1621 png_xy xy_test;
1622
1623 /* As a side-effect this routine also returns the XYZ endpoints. */
1624 result = png_XYZ_from_xy(XYZ, xy);
1625 if (result != 0)
1626 return result;
1627
1628 result = png_xy_from_XYZ(&xy_test, XYZ);
1629 if (result != 0)
1630 return result;
1631
1632 if (png_colorspace_endpoints_match(xy, &xy_test,
1633 5/*actually, the math is pretty accurate*/) != 0)
1634 return 0;
1635
1636 /* Too much slip */
1637 return 1;
1638 }
1639
1640 /* This is the check going the other way. The XYZ is modified to normalize it
1641 * (another side-effect) and the xy chromaticities are returned.
1642 */
1643 static int
1644 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1645 {
1646 int result;
1647 png_XYZ XYZtemp;
1648
1649 result = png_XYZ_normalize(XYZ);
1650 if (result != 0)
1651 return result;
1652
1653 result = png_xy_from_XYZ(xy, XYZ);
1654 if (result != 0)
1655 return result;
1656
1657 XYZtemp = *XYZ;
1658 return png_colorspace_check_xy(&XYZtemp, xy);
1659 }
1660
1661 /* Used to check for an endpoint match against sRGB */
1662 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1663 {
1664 /* color x y */
1665 /* red */ 64000, 33000,
1666 /* green */ 30000, 60000,
1667 /* blue */ 15000, 6000,
1668 /* white */ 31270, 32900
1669 };
1670
1671 static int
1672 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1673 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1674 int preferred)
1675 {
1676 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1677 return 0;
1678
1679 /* The consistency check is performed on the chromaticities; this factors out
1680 * variations because of the normalization (or not) of the end point Y
1681 * values.
1682 */
1683 if (preferred < 2 &&
1684 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1685 {
1686 /* The end points must be reasonably close to any we already have. The
1687 * following allows an error of up to +/-.001
1688 */
1689 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1690 100) == 0)
1691 {
1692 colorspace->flags |= PNG_COLORSPACE_INVALID;
1693 png_benign_error(png_ptr, "inconsistent chromaticities");
1694 return 0; /* failed */
1695 }
1696
1697 /* Only overwrite with preferred values */
1698 if (preferred == 0)
1699 return 1; /* ok, but no change */
1700 }
1701
1702 colorspace->end_points_xy = *xy;
1703 colorspace->end_points_XYZ = *XYZ;
1704 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1705
1706 /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1707 * on this test.
1708 */
1709 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1710 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1711
1712 else
1713 colorspace->flags &= PNG_COLORSPACE_CANCEL(
1714 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1715
1716 return 2; /* ok and changed */
1717 }
1718
1719 int /* PRIVATE */
1720 png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1721 png_colorspacerp colorspace, const png_xy *xy, int preferred)
1722 {
1723 /* We must check the end points to ensure they are reasonable - in the past
1724 * color management systems have crashed as a result of getting bogus
1725 * colorant values, while this isn't the fault of libpng it is the
1726 * responsibility of libpng because PNG carries the bomb and libpng is in a
1727 * position to protect against it.
1728 */
1729 png_XYZ XYZ;
1730
1731 switch (png_colorspace_check_xy(&XYZ, xy))
1732 {
1733 case 0: /* success */
1734 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1735 preferred);
1736
1737 case 1:
1738 /* We can't invert the chromaticities so we can't produce value XYZ
1739 * values. Likely as not a color management system will fail too.
1740 */
1741 colorspace->flags |= PNG_COLORSPACE_INVALID;
1742 png_benign_error(png_ptr, "invalid chromaticities");
1743 break;
1744
1745 default:
1746 /* libpng is broken; this should be a warning but if it happens we
1747 * want error reports so for the moment it is an error.
1748 */
1749 colorspace->flags |= PNG_COLORSPACE_INVALID;
1750 png_error(png_ptr, "internal error checking chromaticities");
1751 }
1752
1753 return 0; /* failed */
1754 }
1755
1756 int /* PRIVATE */
1757 png_colorspace_set_endpoints(png_const_structrp png_ptr,
1758 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1759 {
1760 png_XYZ XYZ = *XYZ_in;
1761 png_xy xy;
1762
1763 switch (png_colorspace_check_XYZ(&xy, &XYZ))
1764 {
1765 case 0:
1766 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1767 preferred);
1768
1769 case 1:
1770 /* End points are invalid. */
1771 colorspace->flags |= PNG_COLORSPACE_INVALID;
1772 png_benign_error(png_ptr, "invalid end points");
1773 break;
1774
1775 default:
1776 colorspace->flags |= PNG_COLORSPACE_INVALID;
1777 png_error(png_ptr, "internal error checking chromaticities");
1778 }
1779
1780 return 0; /* failed */
1781 }
1782
1783 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1784 /* Error message generation */
1785 static char
1786 png_icc_tag_char(png_uint_32 byte)
1787 {
1788 byte &= 0xff;
1789 if (byte >= 32 && byte <= 126)
1790 return (char)byte;
1791 else
1792 return '?';
1793 }
1794
1795 static void
1796 png_icc_tag_name(char *name, png_uint_32 tag)
1797 {
1798 name[0] = '\'';
1799 name[1] = png_icc_tag_char(tag >> 24);
1800 name[2] = png_icc_tag_char(tag >> 16);
1801 name[3] = png_icc_tag_char(tag >> 8);
1802 name[4] = png_icc_tag_char(tag );
1803 name[5] = '\'';
1804 }
1805
1806 static int
1807 is_ICC_signature_char(png_alloc_size_t it)
1808 {
1809 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1810 (it >= 97 && it <= 122);
1811 }
1812
1813 static int
1814 is_ICC_signature(png_alloc_size_t it)
1815 {
1816 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1817 is_ICC_signature_char((it >> 16) & 0xff) &&
1818 is_ICC_signature_char((it >> 8) & 0xff) &&
1819 is_ICC_signature_char(it & 0xff);
1820 }
1821
1822 static int
1823 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1824 png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1825 {
1826 size_t pos;
1827 char message[196]; /* see below for calculation */
1828
1829 if (colorspace != NULL)
1830 colorspace->flags |= PNG_COLORSPACE_INVALID;
1831
1832 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1833 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1834 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1835 if (is_ICC_signature(value) != 0)
1836 {
1837 /* So 'value' is at most 4 bytes and the following cast is safe */
1838 png_icc_tag_name(message+pos, (png_uint_32)value);
1839 pos += 6; /* total +8; less than the else clause */
1840 message[pos++] = ':';
1841 message[pos++] = ' ';
1842 }
1843 # ifdef PNG_WARNINGS_SUPPORTED
1844 else
1845 {
1846 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1847
1848 pos = png_safecat(message, (sizeof message), pos,
1849 png_format_number(number, number+(sizeof number),
1850 PNG_NUMBER_FORMAT_x, value));
1851 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1852 }
1853 # endif
1854 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1855 pos = png_safecat(message, (sizeof message), pos, reason);
1856 PNG_UNUSED(pos)
1857
1858 /* This is recoverable, but make it unconditionally an app_error on write to
1859 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1860 * on read, with a warning, but on write unless the app turns off
1861 * application errors the PNG won't be written.)
1862 */
1863 png_chunk_report(png_ptr, message,
1864 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1865
1866 return 0;
1867 }
1868 #endif /* sRGB || iCCP */
1869
1870 #ifdef PNG_sRGB_SUPPORTED
1871 int /* PRIVATE */
1872 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1873 int intent)
1874 {
1875 /* sRGB sets known gamma, end points and (from the chunk) intent. */
1876 /* IMPORTANT: these are not necessarily the values found in an ICC profile
1877 * because ICC profiles store values adapted to a D50 environment; it is
1878 * expected that the ICC profile mediaWhitePointTag will be D50; see the
1879 * checks and code elsewhere to understand this better.
1880 *
1881 * These XYZ values, which are accurate to 5dp, produce rgb to gray
1882 * coefficients of (6968,23435,2366), which are reduced (because they add up
1883 * to 32769 not 32768) to (6968,23434,2366). These are the values that
1884 * libpng has traditionally used (and are the best values given the 15bit
1885 * algorithm used by the rgb to gray code.)
1886 */
1887 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1888 {
1889 /* color X Y Z */
1890 /* red */ 41239, 21264, 1933,
1891 /* green */ 35758, 71517, 11919,
1892 /* blue */ 18048, 7219, 95053
1893 };
1894
1895 /* Do nothing if the colorspace is already invalidated. */
1896 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1897 return 0;
1898
1899 /* Check the intent, then check for existing settings. It is valid for the
1900 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1901 * be consistent with the correct values. If, however, this function is
1902 * called below because an iCCP chunk matches sRGB then it is quite
1903 * conceivable that an older app recorded incorrect gAMA and cHRM because of
1904 * an incorrect calculation based on the values in the profile - this does
1905 * *not* invalidate the profile (though it still produces an error, which can
1906 * be ignored.)
1907 */
1908 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1909 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1910 (png_alloc_size_t)intent, "invalid sRGB rendering intent");
1911
1912 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1913 colorspace->rendering_intent != intent)
1914 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1915 (png_alloc_size_t)intent, "inconsistent rendering intents");
1916
1917 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1918 {
1919 png_benign_error(png_ptr, "duplicate sRGB information ignored");
1920 return 0;
1921 }
1922
1923 /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1924 * warn but overwrite the value with the correct one.
1925 */
1926 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1927 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1928 100))
1929 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1930 PNG_CHUNK_ERROR);
1931
1932 /* This check is just done for the error reporting - the routine always
1933 * returns true when the 'from' argument corresponds to sRGB (2).
1934 */
1935 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1936 2/*from sRGB*/);
1937
1938 /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1939 colorspace->rendering_intent = (png_uint_16)intent;
1940 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1941
1942 /* endpoints */
1943 colorspace->end_points_xy = sRGB_xy;
1944 colorspace->end_points_XYZ = sRGB_XYZ;
1945 colorspace->flags |=
1946 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1947
1948 /* gamma */
1949 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1950 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1951
1952 /* Finally record that we have an sRGB profile */
1953 colorspace->flags |=
1954 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1955
1956 return 1; /* set */
1957 }
1958 #endif /* sRGB */
1959
1960 #ifdef PNG_iCCP_SUPPORTED
1961 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value
1962 * is XYZ(0.9642,1.0,0.8249), which scales to:
1963 *
1964 * (63189.8112, 65536, 54060.6464)
1965 */
1966 static const png_byte D50_nCIEXYZ[12] =
1967 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1968
1969 static int /* bool */
1970 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1971 png_const_charp name, png_uint_32 profile_length)
1972 {
1973 if (profile_length < 132)
1974 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1975 "too short");
1976 return 1;
1977 }
1978
1979 #ifdef PNG_READ_iCCP_SUPPORTED
1980 int /* PRIVATE */
1981 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1982 png_const_charp name, png_uint_32 profile_length)
1983 {
1984 if (!icc_check_length(png_ptr, colorspace, name, profile_length))
1985 return 0;
1986
1987 /* This needs to be here because the 'normal' check is in
1988 * png_decompress_chunk, yet this happens after the attempt to
1989 * png_malloc_base the required data. We only need this on read; on write
1990 * the caller supplies the profile buffer so libpng doesn't allocate it. See
1991 * the call to icc_check_length below (the write case).
1992 */
1993 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
1994 else if (png_ptr->user_chunk_malloc_max > 0 &&
1995 png_ptr->user_chunk_malloc_max < profile_length)
1996 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1997 "exceeds application limits");
1998 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
1999 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
2000 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2001 "exceeds libpng limits");
2002 # else /* !SET_USER_LIMITS */
2003 /* This will get compiled out on all 32-bit and better systems. */
2004 else if (PNG_SIZE_MAX < profile_length)
2005 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2006 "exceeds system limits");
2007 # endif /* !SET_USER_LIMITS */
2008
2009 return 1;
2010 }
2011 #endif /* READ_iCCP */
2012
2013 int /* PRIVATE */
2014 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2015 png_const_charp name, png_uint_32 profile_length,
2016 png_const_bytep profile/* first 132 bytes only */, int color_type)
2017 {
2018 png_uint_32 temp;
2019
2020 /* Length check; this cannot be ignored in this code because profile_length
2021 * is used later to check the tag table, so even if the profile seems over
2022 * long profile_length from the caller must be correct. The caller can fix
2023 * this up on read or write by just passing in the profile header length.
2024 */
2025 temp = png_get_uint_32(profile);
2026 if (temp != profile_length)
2027 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2028 "length does not match profile");
2029
2030 temp = (png_uint_32) (*(profile+8));
2031 if (temp > 3 && (profile_length & 3))
2032 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2033 "invalid length");
2034
2035 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2036 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2037 profile_length < 132+12*temp) /* truncated tag table */
2038 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2039 "tag count too large");
2040
2041 /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2042 * 16 bits.
2043 */
2044 temp = png_get_uint_32(profile+64);
2045 if (temp >= 0xffff) /* The ICC limit */
2046 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2047 "invalid rendering intent");
2048
2049 /* This is just a warning because the profile may be valid in future
2050 * versions.
2051 */
2052 if (temp >= PNG_sRGB_INTENT_LAST)
2053 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2054 "intent outside defined range");
2055
2056 /* At this point the tag table can't be checked because it hasn't necessarily
2057 * been loaded; however, various header fields can be checked. These checks
2058 * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2059 * restricts the profiles that can be passed in an iCCP chunk (they must be
2060 * appropriate to processing PNG data!)
2061 */
2062
2063 /* Data checks (could be skipped). These checks must be independent of the
2064 * version number; however, the version number doesn't accommodate changes in
2065 * the header fields (just the known tags and the interpretation of the
2066 * data.)
2067 */
2068 temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2069 if (temp != 0x61637370)
2070 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2071 "invalid signature");
2072
2073 /* Currently the PCS illuminant/adopted white point (the computational
2074 * white point) are required to be D50,
2075 * however the profile contains a record of the illuminant so perhaps ICC
2076 * expects to be able to change this in the future (despite the rationale in
2077 * the introduction for using a fixed PCS adopted white.) Consequently the
2078 * following is just a warning.
2079 */
2080 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2081 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2082 "PCS illuminant is not D50");
2083
2084 /* The PNG spec requires this:
2085 * "If the iCCP chunk is present, the image samples conform to the colour
2086 * space represented by the embedded ICC profile as defined by the
2087 * International Color Consortium [ICC]. The colour space of the ICC profile
2088 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2089 * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2090 * and 4)."
2091 *
2092 * This checking code ensures the embedded profile (on either read or write)
2093 * conforms to the specification requirements. Notice that an ICC 'gray'
2094 * color-space profile contains the information to transform the monochrome
2095 * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2096 * should be used in preference to the standard libpng K channel replication
2097 * into R, G and B channels.
2098 *
2099 * Previously it was suggested that an RGB profile on grayscale data could be
2100 * handled. However it it is clear that using an RGB profile in this context
2101 * must be an error - there is no specification of what it means. Thus it is
2102 * almost certainly more correct to ignore the profile.
2103 */
2104 temp = png_get_uint_32(profile+16); /* data colour space field */
2105 switch (temp)
2106 {
2107 case 0x52474220: /* 'RGB ' */
2108 if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2109 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2110 "RGB color space not permitted on grayscale PNG");
2111 break;
2112
2113 case 0x47524159: /* 'GRAY' */
2114 if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2115 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2116 "Gray color space not permitted on RGB PNG");
2117 break;
2118
2119 default:
2120 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2121 "invalid ICC profile color space");
2122 }
2123
2124 /* It is up to the application to check that the profile class matches the
2125 * application requirements; the spec provides no guidance, but it's pretty
2126 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2127 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
2128 * cases. Issue an error for device link or abstract profiles - these don't
2129 * contain the records necessary to transform the color-space to anything
2130 * other than the target device (and not even that for an abstract profile).
2131 * Profiles of these classes may not be embedded in images.
2132 */
2133 temp = png_get_uint_32(profile+12); /* profile/device class */
2134 switch (temp)
2135 {
2136 case 0x73636e72: /* 'scnr' */
2137 case 0x6d6e7472: /* 'mntr' */
2138 case 0x70727472: /* 'prtr' */
2139 case 0x73706163: /* 'spac' */
2140 /* All supported */
2141 break;
2142
2143 case 0x61627374: /* 'abst' */
2144 /* May not be embedded in an image */
2145 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2146 "invalid embedded Abstract ICC profile");
2147
2148 case 0x6c696e6b: /* 'link' */
2149 /* DeviceLink profiles cannot be interpreted in a non-device specific
2150 * fashion, if an app uses the AToB0Tag in the profile the results are
2151 * undefined unless the result is sent to the intended device,
2152 * therefore a DeviceLink profile should not be found embedded in a
2153 * PNG.
2154 */
2155 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2156 "unexpected DeviceLink ICC profile class");
2157
2158 case 0x6e6d636c: /* 'nmcl' */
2159 /* A NamedColor profile is also device specific, however it doesn't
2160 * contain an AToB0 tag that is open to misinterpretation. Almost
2161 * certainly it will fail the tests below.
2162 */
2163 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2164 "unexpected NamedColor ICC profile class");
2165 break;
2166
2167 default:
2168 /* To allow for future enhancements to the profile accept unrecognized
2169 * profile classes with a warning, these then hit the test below on the
2170 * tag content to ensure they are backward compatible with one of the
2171 * understood profiles.
2172 */
2173 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2174 "unrecognized ICC profile class");
2175 break;
2176 }
2177
2178 /* For any profile other than a device link one the PCS must be encoded
2179 * either in XYZ or Lab.
2180 */
2181 temp = png_get_uint_32(profile+20);
2182 switch (temp)
2183 {
2184 case 0x58595a20: /* 'XYZ ' */
2185 case 0x4c616220: /* 'Lab ' */
2186 break;
2187
2188 default:
2189 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2190 "unexpected ICC PCS encoding");
2191 }
2192
2193 return 1;
2194 }
2195
2196 int /* PRIVATE */
2197 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2198 png_const_charp name, png_uint_32 profile_length,
2199 png_const_bytep profile /* header plus whole tag table */)
2200 {
2201 png_uint_32 tag_count = png_get_uint_32(profile+128);
2202 png_uint_32 itag;
2203 png_const_bytep tag = profile+132; /* The first tag */
2204
2205 /* First scan all the tags in the table and add bits to the icc_info value
2206 * (temporarily in 'tags').
2207 */
2208 for (itag=0; itag < tag_count; ++itag, tag += 12)
2209 {
2210 png_uint_32 tag_id = png_get_uint_32(tag+0);
2211 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2212 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2213
2214 /* The ICC specification does not exclude zero length tags, therefore the
2215 * start might actually be anywhere if there is no data, but this would be
2216 * a clear abuse of the intent of the standard so the start is checked for
2217 * being in range. All defined tag types have an 8 byte header - a 4 byte
2218 * type signature then 0.
2219 */
2220
2221 /* This is a hard error; potentially it can cause read outside the
2222 * profile.
2223 */
2224 if (tag_start > profile_length || tag_length > profile_length - tag_start)
2225 return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2226 "ICC profile tag outside profile");
2227
2228 if ((tag_start & 3) != 0)
2229 {
2230 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
2231 * only a warning here because libpng does not care about the
2232 * alignment.
2233 */
2234 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2235 "ICC profile tag start not a multiple of 4");
2236 }
2237 }
2238
2239 return 1; /* success, maybe with warnings */
2240 }
2241
2242 #ifdef PNG_sRGB_SUPPORTED
2243 #if PNG_sRGB_PROFILE_CHECKS >= 0
2244 /* Information about the known ICC sRGB profiles */
2245 static const struct
2246 {
2247 png_uint_32 adler, crc, length;
2248 png_uint_32 md5[4];
2249 png_byte have_md5;
2250 png_byte is_broken;
2251 png_uint_16 intent;
2252
2253 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2254 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2255 { adler, crc, length, md5, broke, intent },
2256
2257 } png_sRGB_checks[] =
2258 {
2259 /* This data comes from contrib/tools/checksum-icc run on downloads of
2260 * all four ICC sRGB profiles from www.color.org.
2261 */
2262 /* adler32, crc32, MD5[4], intent, date, length, file-name */
2263 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2264 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2265 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2266
2267 /* ICC sRGB v2 perceptual no black-compensation: */
2268 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2269 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2270 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2271
2272 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2273 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2274 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2275
2276 /* ICC sRGB v4 perceptual */
2277 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2278 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2279 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2280
2281 /* The following profiles have no known MD5 checksum. If there is a match
2282 * on the (empty) MD5 the other fields are used to attempt a match and
2283 * a warning is produced. The first two of these profiles have a 'cprt' tag
2284 * which suggests that they were also made by Hewlett Packard.
2285 */
2286 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2287 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2288 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2289
2290 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2291 * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2292 * so the white point is recorded as the un-adapted value.) The profiles
2293 * below only differ in one byte - the intent - and are basically the same as
2294 * the previous profile except for the mediaWhitePointTag error and a missing
2295 * chromaticAdaptationTag.
2296 */
2297 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2298 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2299 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2300
2301 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2302 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2303 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2304 };
2305
2306 static int
2307 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2308 png_const_bytep profile, uLong adler)
2309 {
2310 /* The quick check is to verify just the MD5 signature and trust the
2311 * rest of the data. Because the profile has already been verified for
2312 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2313 * field too, so if the profile has been edited with an intent not defined
2314 * by sRGB (but maybe defined by a later ICC specification) the read of
2315 * the profile will fail at that point.
2316 */
2317
2318 png_uint_32 length = 0;
2319 png_uint_32 intent = 0x10000; /* invalid */
2320 #if PNG_sRGB_PROFILE_CHECKS > 1
2321 uLong crc = 0; /* the value for 0 length data */
2322 #endif
2323 unsigned int i;
2324
2325 #ifdef PNG_SET_OPTION_SUPPORTED
2326 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2327 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2328 PNG_OPTION_ON)
2329 return 0;
2330 #endif
2331
2332 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2333 {
2334 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2335 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2336 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2337 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2338 {
2339 /* This may be one of the old HP profiles without an MD5, in that
2340 * case we can only use the length and Adler32 (note that these
2341 * are not used by default if there is an MD5!)
2342 */
2343 # if PNG_sRGB_PROFILE_CHECKS == 0
2344 if (png_sRGB_checks[i].have_md5 != 0)
2345 return 1+png_sRGB_checks[i].is_broken;
2346 # endif
2347
2348 /* Profile is unsigned or more checks have been configured in. */
2349 if (length == 0)
2350 {
2351 length = png_get_uint_32(profile);
2352 intent = png_get_uint_32(profile+64);
2353 }
2354
2355 /* Length *and* intent must match */
2356 if (length == (png_uint_32) png_sRGB_checks[i].length &&
2357 intent == (png_uint_32) png_sRGB_checks[i].intent)
2358 {
2359 /* Now calculate the adler32 if not done already. */
2360 if (adler == 0)
2361 {
2362 adler = adler32(0, NULL, 0);
2363 adler = adler32(adler, profile, length);
2364 }
2365
2366 if (adler == png_sRGB_checks[i].adler)
2367 {
2368 /* These basic checks suggest that the data has not been
2369 * modified, but if the check level is more than 1 perform
2370 * our own crc32 checksum on the data.
2371 */
2372 # if PNG_sRGB_PROFILE_CHECKS > 1
2373 if (crc == 0)
2374 {
2375 crc = crc32(0, NULL, 0);
2376 crc = crc32(crc, profile, length);
2377 }
2378
2379 /* So this check must pass for the 'return' below to happen.
2380 */
2381 if (crc == png_sRGB_checks[i].crc)
2382 # endif
2383 {
2384 if (png_sRGB_checks[i].is_broken != 0)
2385 {
2386 /* These profiles are known to have bad data that may cause
2387 * problems if they are used, therefore attempt to
2388 * discourage their use, skip the 'have_md5' warning below,
2389 * which is made irrelevant by this error.
2390 */
2391 png_chunk_report(png_ptr, "known incorrect sRGB profile",
2392 PNG_CHUNK_ERROR);
2393 }
2394
2395 /* Warn that this being done; this isn't even an error since
2396 * the profile is perfectly valid, but it would be nice if
2397 * people used the up-to-date ones.
2398 */
2399 else if (png_sRGB_checks[i].have_md5 == 0)
2400 {
2401 png_chunk_report(png_ptr,
2402 "out-of-date sRGB profile with no signature",
2403 PNG_CHUNK_WARNING);
2404 }
2405
2406 return 1+png_sRGB_checks[i].is_broken;
2407 }
2408 }
2409
2410 # if PNG_sRGB_PROFILE_CHECKS > 0
2411 /* The signature matched, but the profile had been changed in some
2412 * way. This probably indicates a data error or uninformed hacking.
2413 * Fall through to "no match".
2414 */
2415 png_chunk_report(png_ptr,
2416 "Not recognizing known sRGB profile that has been edited",
2417 PNG_CHUNK_WARNING);
2418 break;
2419 # endif
2420 }
2421 }
2422 }
2423
2424 return 0; /* no match */
2425 }
2426
2427 void /* PRIVATE */
2428 png_icc_set_sRGB(png_const_structrp png_ptr,
2429 png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2430 {
2431 /* Is this profile one of the known ICC sRGB profiles? If it is, just set
2432 * the sRGB information.
2433 */
2434 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2435 (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2436 (int)/*already checked*/png_get_uint_32(profile+64));
2437 }
2438 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2439 #endif /* sRGB */
2440
2441 int /* PRIVATE */
2442 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2443 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2444 int color_type)
2445 {
2446 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2447 return 0;
2448
2449 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2450 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2451 color_type) != 0 &&
2452 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2453 profile) != 0)
2454 {
2455 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2456 /* If no sRGB support, don't try storing sRGB information */
2457 png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2458 # endif
2459 return 1;
2460 }
2461
2462 /* Failure case */
2463 return 0;
2464 }
2465 #endif /* iCCP */
2466
2467 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2468 void /* PRIVATE */
2469 png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2470 {
2471 /* Set the rgb_to_gray coefficients from the colorspace. */
2472 if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2473 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2474 {
2475 /* png_set_background has not been called, get the coefficients from the Y
2476 * values of the colorspace colorants.
2477 */
2478 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2479 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2480 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2481 png_fixed_point total = r+g+b;
2482
2483 if (total > 0 &&
2484 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2485 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2486 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2487 r+g+b <= 32769)
2488 {
2489 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
2490 * all of the coefficients were rounded up. Handle this by
2491 * reducing the *largest* coefficient by 1; this matches the
2492 * approach used for the default coefficients in pngrtran.c
2493 */
2494 int add = 0;
2495
2496 if (r+g+b > 32768)
2497 add = -1;
2498 else if (r+g+b < 32768)
2499 add = 1;
2500
2501 if (add != 0)
2502 {
2503 if (g >= r && g >= b)
2504 g += add;
2505 else if (r >= g && r >= b)
2506 r += add;
2507 else
2508 b += add;
2509 }
2510
2511 /* Check for an internal error. */
2512 if (r+g+b != 32768)
2513 png_error(png_ptr,
2514 "internal error handling cHRM coefficients");
2515
2516 else
2517 {
2518 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
2519 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2520 }
2521 }
2522
2523 /* This is a png_error at present even though it could be ignored -
2524 * it should never happen, but it is important that if it does, the
2525 * bug is fixed.
2526 */
2527 else
2528 png_error(png_ptr, "internal error handling cHRM->XYZ");
2529 }
2530 }
2531 #endif /* READ_RGB_TO_GRAY */
2532
2533 #endif /* COLORSPACE */
2534
2535 /* #ifdef __GNUC__ */
2536 #if 1
2537 /* This exists solely to work round a warning from GNU C. */
2538 static int /* PRIVATE */
2539 png_gt(size_t a, size_t b)
2540 {
2541 return a > b;
2542 }
2543 #else
2544 # define png_gt(a,b) ((a) > (b))
2545 #endif
2546
2547 void /* PRIVATE */
2548 png_check_IHDR(png_const_structrp png_ptr,
2549 png_uint_32 width, png_uint_32 height, int bit_depth,
2550 int color_type, int interlace_type, int compression_type,
2551 int filter_type)
2552 {
2553 int error = 0;
2554
2555 /* Check for width and height valid values */
2556 if (width == 0)
2557 {
2558 png_warning(png_ptr, "Image width is zero in IHDR");
2559 error = 1;
2560 }
2561
2562 if (width > PNG_UINT_31_MAX)
2563 {
2564 png_warning(png_ptr, "Invalid image width in IHDR");
2565 error = 1;
2566 }
2567
2568 if (png_gt(((width + 7) & (~7U)),
2569 ((PNG_SIZE_MAX
2570 - 48 /* big_row_buf hack */
2571 - 1) /* filter byte */
2572 / 8) /* 8-byte RGBA pixels */
2573 - 1)) /* extra max_pixel_depth pad */
2574 {
2575 /* The size of the row must be within the limits of this architecture.
2576 * Because the read code can perform arbitrary transformations the
2577 * maximum size is checked here. Because the code in png_read_start_row
2578 * adds extra space "for safety's sake" in several places a conservative
2579 * limit is used here.
2580 *
2581 * NOTE: it would be far better to check the size that is actually used,
2582 * but the effect in the real world is minor and the changes are more
2583 * extensive, therefore much more dangerous and much more difficult to
2584 * write in a way that avoids compiler warnings.
2585 */
2586 png_warning(png_ptr, "Image width is too large for this architecture");
2587 error = 1;
2588 }
2589
2590 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2591 if (width > png_ptr->user_width_max)
2592 #else
2593 if (width > PNG_USER_WIDTH_MAX)
2594 #endif
2595 {
2596 png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2597 error = 1;
2598 }
2599
2600 if (height == 0)
2601 {
2602 png_warning(png_ptr, "Image height is zero in IHDR");
2603 error = 1;
2604 }
2605
2606 if (height > PNG_UINT_31_MAX)
2607 {
2608 png_warning(png_ptr, "Invalid image height in IHDR");
2609 error = 1;
2610 }
2611
2612 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2613 if (height > png_ptr->user_height_max)
2614 #else
2615 if (height > PNG_USER_HEIGHT_MAX)
2616 #endif
2617 {
2618 png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2619 error = 1;
2620 }
2621
2622 /* Check other values */
2623 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2624 bit_depth != 8 && bit_depth != 16)
2625 {
2626 png_warning(png_ptr, "Invalid bit depth in IHDR");
2627 error = 1;
2628 }
2629
2630 if (color_type < 0 || color_type == 1 ||
2631 color_type == 5 || color_type > 6)
2632 {
2633 png_warning(png_ptr, "Invalid color type in IHDR");
2634 error = 1;
2635 }
2636
2637 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2638 ((color_type == PNG_COLOR_TYPE_RGB ||
2639 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2640 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2641 {
2642 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2643 error = 1;
2644 }
2645
2646 if (interlace_type >= PNG_INTERLACE_LAST)
2647 {
2648 png_warning(png_ptr, "Unknown interlace method in IHDR");
2649 error = 1;
2650 }
2651
2652 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2653 {
2654 png_warning(png_ptr, "Unknown compression method in IHDR");
2655 error = 1;
2656 }
2657
2658 #ifdef PNG_MNG_FEATURES_SUPPORTED
2659 /* Accept filter_method 64 (intrapixel differencing) only if
2660 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2661 * 2. Libpng did not read a PNG signature (this filter_method is only
2662 * used in PNG datastreams that are embedded in MNG datastreams) and
2663 * 3. The application called png_permit_mng_features with a mask that
2664 * included PNG_FLAG_MNG_FILTER_64 and
2665 * 4. The filter_method is 64 and
2666 * 5. The color_type is RGB or RGBA
2667 */
2668 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2669 png_ptr->mng_features_permitted != 0)
2670 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2671
2672 if (filter_type != PNG_FILTER_TYPE_BASE)
2673 {
2674 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2675 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2676 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2677 (color_type == PNG_COLOR_TYPE_RGB ||
2678 color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2679 {
2680 png_warning(png_ptr, "Unknown filter method in IHDR");
2681 error = 1;
2682 }
2683
2684 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2685 {
2686 png_warning(png_ptr, "Invalid filter method in IHDR");
2687 error = 1;
2688 }
2689 }
2690
2691 #else
2692 if (filter_type != PNG_FILTER_TYPE_BASE)
2693 {
2694 png_warning(png_ptr, "Unknown filter method in IHDR");
2695 error = 1;
2696 }
2697 #endif
2698
2699 if (error == 1)
2700 png_error(png_ptr, "Invalid IHDR data");
2701 }
2702
2703 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2704 /* ASCII to fp functions */
2705 /* Check an ASCII formatted floating point value, see the more detailed
2706 * comments in pngpriv.h
2707 */
2708 /* The following is used internally to preserve the sticky flags */
2709 #define png_fp_add(state, flags) ((state) |= (flags))
2710 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2711
2712 int /* PRIVATE */
2713 png_check_fp_number(png_const_charp string, size_t size, int *statep,
2714 png_size_tp whereami)
2715 {
2716 int state = *statep;
2717 size_t i = *whereami;
2718
2719 while (i < size)
2720 {
2721 int type;
2722 /* First find the type of the next character */
2723 switch (string[i])
2724 {
2725 case 43: type = PNG_FP_SAW_SIGN; break;
2726 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2727 case 46: type = PNG_FP_SAW_DOT; break;
2728 case 48: type = PNG_FP_SAW_DIGIT; break;
2729 case 49: case 50: case 51: case 52:
2730 case 53: case 54: case 55: case 56:
2731 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2732 case 69:
2733 case 101: type = PNG_FP_SAW_E; break;
2734 default: goto PNG_FP_End;
2735 }
2736
2737 /* Now deal with this type according to the current
2738 * state, the type is arranged to not overlap the
2739 * bits of the PNG_FP_STATE.
2740 */
2741 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2742 {
2743 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2744 if ((state & PNG_FP_SAW_ANY) != 0)
2745 goto PNG_FP_End; /* not a part of the number */
2746
2747 png_fp_add(state, type);
2748 break;
2749
2750 case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2751 /* Ok as trailer, ok as lead of fraction. */
2752 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2753 goto PNG_FP_End;
2754
2755 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2756 png_fp_add(state, type);
2757
2758 else
2759 png_fp_set(state, PNG_FP_FRACTION | type);
2760
2761 break;
2762
2763 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2764 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2765 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2766
2767 png_fp_add(state, type | PNG_FP_WAS_VALID);
2768
2769 break;
2770
2771 case PNG_FP_INTEGER + PNG_FP_SAW_E:
2772 if ((state & PNG_FP_SAW_DIGIT) == 0)
2773 goto PNG_FP_End;
2774
2775 png_fp_set(state, PNG_FP_EXPONENT);
2776
2777 break;
2778
2779 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2780 goto PNG_FP_End; ** no sign in fraction */
2781
2782 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2783 goto PNG_FP_End; ** Because SAW_DOT is always set */
2784
2785 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2786 png_fp_add(state, type | PNG_FP_WAS_VALID);
2787 break;
2788
2789 case PNG_FP_FRACTION + PNG_FP_SAW_E:
2790 /* This is correct because the trailing '.' on an
2791 * integer is handled above - so we can only get here
2792 * with the sequence ".E" (with no preceding digits).
2793 */
2794 if ((state & PNG_FP_SAW_DIGIT) == 0)
2795 goto PNG_FP_End;
2796
2797 png_fp_set(state, PNG_FP_EXPONENT);
2798
2799 break;
2800
2801 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2802 if ((state & PNG_FP_SAW_ANY) != 0)
2803 goto PNG_FP_End; /* not a part of the number */
2804
2805 png_fp_add(state, PNG_FP_SAW_SIGN);
2806
2807 break;
2808
2809 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2810 goto PNG_FP_End; */
2811
2812 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2813 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2814
2815 break;
2816
2817 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2818 goto PNG_FP_End; */
2819
2820 default: goto PNG_FP_End; /* I.e. break 2 */
2821 }
2822
2823 /* The character seems ok, continue. */
2824 ++i;
2825 }
2826
2827 PNG_FP_End:
2828 /* Here at the end, update the state and return the correct
2829 * return code.
2830 */
2831 *statep = state;
2832 *whereami = i;
2833
2834 return (state & PNG_FP_SAW_DIGIT) != 0;
2835 }
2836
2837
2838 /* The same but for a complete string. */
2839 int
2840 png_check_fp_string(png_const_charp string, size_t size)
2841 {
2842 int state=0;
2843 size_t char_index=0;
2844
2845 if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2846 (char_index == size || string[char_index] == 0))
2847 return state /* must be non-zero - see above */;
2848
2849 return 0; /* i.e. fail */
2850 }
2851 #endif /* pCAL || sCAL */
2852
2853 #ifdef PNG_sCAL_SUPPORTED
2854 # ifdef PNG_FLOATING_POINT_SUPPORTED
2855 /* Utility used below - a simple accurate power of ten from an integral
2856 * exponent.
2857 */
2858 static double
2859 png_pow10(int power)
2860 {
2861 int recip = 0;
2862 double d = 1;
2863
2864 /* Handle negative exponent with a reciprocal at the end because
2865 * 10 is exact whereas .1 is inexact in base 2
2866 */
2867 if (power < 0)
2868 {
2869 if (power < DBL_MIN_10_EXP) return 0;
2870 recip = 1; power = -power;
2871 }
2872
2873 if (power > 0)
2874 {
2875 /* Decompose power bitwise. */
2876 double mult = 10;
2877 do
2878 {
2879 if (power & 1) d *= mult;
2880 mult *= mult;
2881 power >>= 1;
2882 }
2883 while (power > 0);
2884
2885 if (recip != 0) d = 1/d;
2886 }
2887 /* else power is 0 and d is 1 */
2888
2889 return d;
2890 }
2891
2892 /* Function to format a floating point value in ASCII with a given
2893 * precision.
2894 */
2895 #if GCC_STRICT_OVERFLOW
2896 #pragma GCC diagnostic push
2897 /* The problem arises below with exp_b10, which can never overflow because it
2898 * comes, originally, from frexp and is therefore limited to a range which is
2899 * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)).
2900 */
2901 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
2902 #endif /* GCC_STRICT_OVERFLOW */
2903 void /* PRIVATE */
2904 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, size_t size,
2905 double fp, unsigned int precision)
2906 {
2907 /* We use standard functions from math.h, but not printf because
2908 * that would require stdio. The caller must supply a buffer of
2909 * sufficient size or we will png_error. The tests on size and
2910 * the space in ascii[] consumed are indicated below.
2911 */
2912 if (precision < 1)
2913 precision = DBL_DIG;
2914
2915 /* Enforce the limit of the implementation precision too. */
2916 if (precision > DBL_DIG+1)
2917 precision = DBL_DIG+1;
2918
2919 /* Basic sanity checks */
2920 if (size >= precision+5) /* See the requirements below. */
2921 {
2922 if (fp < 0)
2923 {
2924 fp = -fp;
2925 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */
2926 --size;
2927 }
2928
2929 if (fp >= DBL_MIN && fp <= DBL_MAX)
2930 {
2931 int exp_b10; /* A base 10 exponent */
2932 double base; /* 10^exp_b10 */
2933
2934 /* First extract a base 10 exponent of the number,
2935 * the calculation below rounds down when converting
2936 * from base 2 to base 10 (multiply by log10(2) -
2937 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2938 * be increased. Note that the arithmetic shift
2939 * performs a floor() unlike C arithmetic - using a
2940 * C multiply would break the following for negative
2941 * exponents.
2942 */
2943 (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2944
2945 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2946
2947 /* Avoid underflow here. */
2948 base = png_pow10(exp_b10); /* May underflow */
2949
2950 while (base < DBL_MIN || base < fp)
2951 {
2952 /* And this may overflow. */
2953 double test = png_pow10(exp_b10+1);
2954
2955 if (test <= DBL_MAX)
2956 {
2957 ++exp_b10; base = test;
2958 }
2959
2960 else
2961 break;
2962 }
2963
2964 /* Normalize fp and correct exp_b10, after this fp is in the
2965 * range [.1,1) and exp_b10 is both the exponent and the digit
2966 * *before* which the decimal point should be inserted
2967 * (starting with 0 for the first digit). Note that this
2968 * works even if 10^exp_b10 is out of range because of the
2969 * test on DBL_MAX above.
2970 */
2971 fp /= base;
2972 while (fp >= 1)
2973 {
2974 fp /= 10; ++exp_b10;
2975 }
2976
2977 /* Because of the code above fp may, at this point, be
2978 * less than .1, this is ok because the code below can
2979 * handle the leading zeros this generates, so no attempt
2980 * is made to correct that here.
2981 */
2982
2983 {
2984 unsigned int czero, clead, cdigits;
2985 char exponent[10];
2986
2987 /* Allow up to two leading zeros - this will not lengthen
2988 * the number compared to using E-n.
2989 */
2990 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2991 {
2992 czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */
2993 exp_b10 = 0; /* Dot added below before first output. */
2994 }
2995 else
2996 czero = 0; /* No zeros to add */
2997
2998 /* Generate the digit list, stripping trailing zeros and
2999 * inserting a '.' before a digit if the exponent is 0.
3000 */
3001 clead = czero; /* Count of leading zeros */
3002 cdigits = 0; /* Count of digits in list. */
3003
3004 do
3005 {
3006 double d;
3007
3008 fp *= 10;
3009 /* Use modf here, not floor and subtract, so that
3010 * the separation is done in one step. At the end
3011 * of the loop don't break the number into parts so
3012 * that the final digit is rounded.
3013 */
3014 if (cdigits+czero+1 < precision+clead)
3015 fp = modf(fp, &d);
3016
3017 else
3018 {
3019 d = floor(fp + .5);
3020
3021 if (d > 9)
3022 {
3023 /* Rounding up to 10, handle that here. */
3024 if (czero > 0)
3025 {
3026 --czero; d = 1;
3027 if (cdigits == 0) --clead;
3028 }
3029 else
3030 {
3031 while (cdigits > 0 && d > 9)
3032 {
3033 int ch = *--ascii;
3034
3035 if (exp_b10 != (-1))
3036 ++exp_b10;
3037
3038 else if (ch == 46)
3039 {
3040 ch = *--ascii; ++size;
3041 /* Advance exp_b10 to '1', so that the
3042 * decimal point happens after the
3043 * previous digit.
3044 */
3045 exp_b10 = 1;
3046 }
3047
3048 --cdigits;
3049 d = ch - 47; /* I.e. 1+(ch-48) */
3050 }
3051
3052 /* Did we reach the beginning? If so adjust the
3053 * exponent but take into account the leading
3054 * decimal point.
3055 */
3056 if (d > 9) /* cdigits == 0 */
3057 {
3058 if (exp_b10 == (-1))
3059 {
3060 /* Leading decimal point (plus zeros?), if
3061 * we lose the decimal point here it must
3062 * be reentered below.
3063 */
3064 int ch = *--ascii;
3065
3066 if (ch == 46)
3067 {
3068 ++size; exp_b10 = 1;
3069 }
3070
3071 /* Else lost a leading zero, so 'exp_b10' is
3072 * still ok at (-1)
3073 */
3074 }
3075 else
3076 ++exp_b10;
3077
3078 /* In all cases we output a '1' */
3079 d = 1;
3080 }
3081 }
3082 }
3083 fp = 0; /* Guarantees termination below. */
3084 }
3085
3086 if (d == 0)
3087 {
3088 ++czero;
3089 if (cdigits == 0) ++clead;
3090 }
3091 else
3092 {
3093 /* Included embedded zeros in the digit count. */
3094 cdigits += czero - clead;
3095 clead = 0;
3096
3097 while (czero > 0)
3098 {
3099 /* exp_b10 == (-1) means we just output the decimal
3100 * place - after the DP don't adjust 'exp_b10' any
3101 * more!
3102 */
3103 if (exp_b10 != (-1))
3104 {
3105 if (exp_b10 == 0)
3106 {
3107 *ascii++ = 46; --size;
3108 }
3109 /* PLUS 1: TOTAL 4 */
3110 --exp_b10;
3111 }
3112 *ascii++ = 48; --czero;
3113 }
3114
3115 if (exp_b10 != (-1))
3116 {
3117 if (exp_b10 == 0)
3118 {
3119 *ascii++ = 46; --size; /* counted above */
3120 }
3121
3122 --exp_b10;
3123 }
3124 *ascii++ = (char)(48 + (int)d); ++cdigits;
3125 }
3126 }
3127 while (cdigits+czero < precision+clead && fp > DBL_MIN);
3128
3129 /* The total output count (max) is now 4+precision */
3130
3131 /* Check for an exponent, if we don't need one we are
3132 * done and just need to terminate the string. At this
3133 * point, exp_b10==(-1) is effectively a flag: it got
3134 * to '-1' because of the decrement, after outputting
3135 * the decimal point above. (The exponent required is
3136 * *not* -1.)
3137 */
3138 if (exp_b10 >= (-1) && exp_b10 <= 2)
3139 {
3140 /* The following only happens if we didn't output the
3141 * leading zeros above for negative exponent, so this
3142 * doesn't add to the digit requirement. Note that the
3143 * two zeros here can only be output if the two leading
3144 * zeros were *not* output, so this doesn't increase
3145 * the output count.
3146 */
3147 while (exp_b10-- > 0) *ascii++ = 48;
3148
3149 *ascii = 0;
3150
3151 /* Total buffer requirement (including the '\0') is
3152 * 5+precision - see check at the start.
3153 */
3154 return;
3155 }
3156
3157 /* Here if an exponent is required, adjust size for
3158 * the digits we output but did not count. The total
3159 * digit output here so far is at most 1+precision - no
3160 * decimal point and no leading or trailing zeros have
3161 * been output.
3162 */
3163 size -= cdigits;
3164
3165 *ascii++ = 69; --size; /* 'E': PLUS 1 TOTAL 2+precision */
3166
3167 /* The following use of an unsigned temporary avoids ambiguities in
3168 * the signed arithmetic on exp_b10 and permits GCC at least to do
3169 * better optimization.
3170 */
3171 {
3172 unsigned int uexp_b10;
3173
3174 if (exp_b10 < 0)
3175 {
3176 *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */
3177 uexp_b10 = 0U-exp_b10;
3178 }
3179
3180 else
3181 uexp_b10 = 0U+exp_b10;
3182
3183 cdigits = 0;
3184
3185 while (uexp_b10 > 0)
3186 {
3187 exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3188 uexp_b10 /= 10;
3189 }
3190 }
3191
3192 /* Need another size check here for the exponent digits, so
3193 * this need not be considered above.
3194 */
3195 if (size > cdigits)
3196 {
3197 while (cdigits > 0) *ascii++ = exponent[--cdigits];
3198
3199 *ascii = 0;
3200
3201 return;
3202 }
3203 }
3204 }
3205 else if (!(fp >= DBL_MIN))
3206 {
3207 *ascii++ = 48; /* '0' */
3208 *ascii = 0;
3209 return;
3210 }
3211 else
3212 {
3213 *ascii++ = 105; /* 'i' */
3214 *ascii++ = 110; /* 'n' */
3215 *ascii++ = 102; /* 'f' */
3216 *ascii = 0;
3217 return;
3218 }
3219 }
3220
3221 /* Here on buffer too small. */
3222 png_error(png_ptr, "ASCII conversion buffer too small");
3223 }
3224 #if GCC_STRICT_OVERFLOW
3225 #pragma GCC diagnostic pop
3226 #endif /* GCC_STRICT_OVERFLOW */
3227
3228 # endif /* FLOATING_POINT */
3229
3230 # ifdef PNG_FIXED_POINT_SUPPORTED
3231 /* Function to format a fixed point value in ASCII.
3232 */
3233 void /* PRIVATE */
3234 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3235 size_t size, png_fixed_point fp)
3236 {
3237 /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3238 * trailing \0, 13 characters:
3239 */
3240 if (size > 12)
3241 {
3242 png_uint_32 num;
3243
3244 /* Avoid overflow here on the minimum integer. */
3245 if (fp < 0)
3246 {
3247 *ascii++ = 45; num = (png_uint_32)(-fp);
3248 }
3249 else
3250 num = (png_uint_32)fp;
3251
3252 if (num <= 0x80000000) /* else overflowed */
3253 {
3254 unsigned int ndigits = 0, first = 16 /* flag value */;
3255 char digits[10];
3256
3257 while (num)
3258 {
3259 /* Split the low digit off num: */
3260 unsigned int tmp = num/10;
3261 num -= tmp*10;
3262 digits[ndigits++] = (char)(48 + num);
3263 /* Record the first non-zero digit, note that this is a number
3264 * starting at 1, it's not actually the array index.
3265 */
3266 if (first == 16 && num > 0)
3267 first = ndigits;
3268 num = tmp;
3269 }
3270
3271 if (ndigits > 0)
3272 {
3273 while (ndigits > 5) *ascii++ = digits[--ndigits];
3274 /* The remaining digits are fractional digits, ndigits is '5' or
3275 * smaller at this point. It is certainly not zero. Check for a
3276 * non-zero fractional digit:
3277 */
3278 if (first <= 5)
3279 {
3280 unsigned int i;
3281 *ascii++ = 46; /* decimal point */
3282 /* ndigits may be <5 for small numbers, output leading zeros
3283 * then ndigits digits to first:
3284 */
3285 i = 5;
3286 while (ndigits < i)
3287 {
3288 *ascii++ = 48; --i;
3289 }
3290 while (ndigits >= first) *ascii++ = digits[--ndigits];
3291 /* Don't output the trailing zeros! */
3292 }
3293 }
3294 else
3295 *ascii++ = 48;
3296
3297 /* And null terminate the string: */
3298 *ascii = 0;
3299 return;
3300 }
3301 }
3302
3303 /* Here on buffer too small. */
3304 png_error(png_ptr, "ASCII conversion buffer too small");
3305 }
3306 # endif /* FIXED_POINT */
3307 #endif /* SCAL */
3308
3309 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3310 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3311 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3312 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3313 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3314 (defined(PNG_sCAL_SUPPORTED) && \
3315 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3316 png_fixed_point
3317 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3318 {
3319 double r = floor(100000 * fp + .5);
3320
3321 if (r > 2147483647. || r < -2147483648.)
3322 png_fixed_error(png_ptr, text);
3323
3324 # ifndef PNG_ERROR_TEXT_SUPPORTED
3325 PNG_UNUSED(text)
3326 # endif
3327
3328 return (png_fixed_point)r;
3329 }
3330 #endif
3331
3332 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3333 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3334 /* muldiv functions */
3335 /* This API takes signed arguments and rounds the result to the nearest
3336 * integer (or, for a fixed point number - the standard argument - to
3337 * the nearest .00001). Overflow and divide by zero are signalled in
3338 * the result, a boolean - true on success, false on overflow.
3339 */
3340 #if GCC_STRICT_OVERFLOW /* from above */
3341 /* It is not obvious which comparison below gets optimized in such a way that
3342 * signed overflow would change the result; looking through the code does not
3343 * reveal any tests which have the form GCC complains about, so presumably the
3344 * optimizer is moving an add or subtract into the 'if' somewhere.
3345 */
3346 #pragma GCC diagnostic push
3347 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
3348 #endif /* GCC_STRICT_OVERFLOW */
3349 int
3350 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3351 png_int_32 divisor)
3352 {
3353 /* Return a * times / divisor, rounded. */
3354 if (divisor != 0)
3355 {
3356 if (a == 0 || times == 0)
3357 {
3358 *res = 0;
3359 return 1;
3360 }
3361 else
3362 {
3363 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3364 double r = a;
3365 r *= times;
3366 r /= divisor;
3367 r = floor(r+.5);
3368
3369 /* A png_fixed_point is a 32-bit integer. */
3370 if (r <= 2147483647. && r >= -2147483648.)
3371 {
3372 *res = (png_fixed_point)r;
3373 return 1;
3374 }
3375 #else
3376 int negative = 0;
3377 png_uint_32 A, T, D;
3378 png_uint_32 s16, s32, s00;
3379
3380 if (a < 0)
3381 negative = 1, A = -a;
3382 else
3383 A = a;
3384
3385 if (times < 0)
3386 negative = !negative, T = -times;
3387 else
3388 T = times;
3389
3390 if (divisor < 0)
3391 negative = !negative, D = -divisor;
3392 else
3393 D = divisor;
3394
3395 /* Following can't overflow because the arguments only
3396 * have 31 bits each, however the result may be 32 bits.
3397 */
3398 s16 = (A >> 16) * (T & 0xffff) +
3399 (A & 0xffff) * (T >> 16);
3400 /* Can't overflow because the a*times bit is only 30
3401 * bits at most.
3402 */
3403 s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3404 s00 = (A & 0xffff) * (T & 0xffff);
3405
3406 s16 = (s16 & 0xffff) << 16;
3407 s00 += s16;
3408
3409 if (s00 < s16)
3410 ++s32; /* carry */
3411
3412 if (s32 < D) /* else overflow */
3413 {
3414 /* s32.s00 is now the 64-bit product, do a standard
3415 * division, we know that s32 < D, so the maximum
3416 * required shift is 31.
3417 */
3418 int bitshift = 32;
3419 png_fixed_point result = 0; /* NOTE: signed */
3420
3421 while (--bitshift >= 0)
3422 {
3423 png_uint_32 d32, d00;
3424
3425 if (bitshift > 0)
3426 d32 = D >> (32-bitshift), d00 = D << bitshift;
3427
3428 else
3429 d32 = 0, d00 = D;
3430
3431 if (s32 > d32)
3432 {
3433 if (s00 < d00) --s32; /* carry */
3434 s32 -= d32, s00 -= d00, result += 1<<bitshift;
3435 }
3436
3437 else
3438 if (s32 == d32 && s00 >= d00)
3439 s32 = 0, s00 -= d00, result += 1<<bitshift;
3440 }
3441
3442 /* Handle the rounding. */
3443 if (s00 >= (D >> 1))
3444 ++result;
3445
3446 if (negative != 0)
3447 result = -result;
3448
3449 /* Check for overflow. */
3450 if ((negative != 0 && result <= 0) ||
3451 (negative == 0 && result >= 0))
3452 {
3453 *res = result;
3454 return 1;
3455 }
3456 }
3457 #endif
3458 }
3459 }
3460
3461 return 0;
3462 }
3463 #if GCC_STRICT_OVERFLOW
3464 #pragma GCC diagnostic pop
3465 #endif /* GCC_STRICT_OVERFLOW */
3466 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3467
3468 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3469 /* The following is for when the caller doesn't much care about the
3470 * result.
3471 */
3472 png_fixed_point
3473 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3474 png_int_32 divisor)
3475 {
3476 png_fixed_point result;
3477
3478 if (png_muldiv(&result, a, times, divisor) != 0)
3479 return result;
3480
3481 png_warning(png_ptr, "fixed point overflow ignored");
3482 return 0;
3483 }
3484 #endif
3485
3486 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3487 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3488 png_fixed_point
3489 png_reciprocal(png_fixed_point a)
3490 {
3491 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3492 double r = floor(1E10/a+.5);
3493
3494 if (r <= 2147483647. && r >= -2147483648.)
3495 return (png_fixed_point)r;
3496 #else
3497 png_fixed_point res;
3498
3499 if (png_muldiv(&res, 100000, 100000, a) != 0)
3500 return res;
3501 #endif
3502
3503 return 0; /* error/overflow */
3504 }
3505
3506 /* This is the shared test on whether a gamma value is 'significant' - whether
3507 * it is worth doing gamma correction.
3508 */
3509 int /* PRIVATE */
3510 png_gamma_significant(png_fixed_point gamma_val)
3511 {
3512 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3513 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3514 }
3515 #endif
3516
3517 #ifdef PNG_READ_GAMMA_SUPPORTED
3518 #ifdef PNG_16BIT_SUPPORTED
3519 /* A local convenience routine. */
3520 static png_fixed_point
3521 png_product2(png_fixed_point a, png_fixed_point b)
3522 {
3523 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3524 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3525 double r = a * 1E-5;
3526 r *= b;
3527 r = floor(r+.5);
3528
3529 if (r <= 2147483647. && r >= -2147483648.)
3530 return (png_fixed_point)r;
3531 #else
3532 png_fixed_point res;
3533
3534 if (png_muldiv(&res, a, b, 100000) != 0)
3535 return res;
3536 #endif
3537
3538 return 0; /* overflow */
3539 }
3540 #endif /* 16BIT */
3541
3542 /* The inverse of the above. */
3543 png_fixed_point
3544 png_reciprocal2(png_fixed_point a, png_fixed_point b)
3545 {
3546 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3547 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3548 if (a != 0 && b != 0)
3549 {
3550 double r = 1E15/a;
3551 r /= b;
3552 r = floor(r+.5);
3553
3554 if (r <= 2147483647. && r >= -2147483648.)
3555 return (png_fixed_point)r;
3556 }
3557 #else
3558 /* This may overflow because the range of png_fixed_point isn't symmetric,
3559 * but this API is only used for the product of file and screen gamma so it
3560 * doesn't matter that the smallest number it can produce is 1/21474, not
3561 * 1/100000
3562 */
3563 png_fixed_point res = png_product2(a, b);
3564
3565 if (res != 0)
3566 return png_reciprocal(res);
3567 #endif
3568
3569 return 0; /* overflow */
3570 }
3571 #endif /* READ_GAMMA */
3572
3573 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3574 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3575 /* Fixed point gamma.
3576 *
3577 * The code to calculate the tables used below can be found in the shell script
3578 * contrib/tools/intgamma.sh
3579 *
3580 * To calculate gamma this code implements fast log() and exp() calls using only
3581 * fixed point arithmetic. This code has sufficient precision for either 8-bit
3582 * or 16-bit sample values.
3583 *
3584 * The tables used here were calculated using simple 'bc' programs, but C double
3585 * precision floating point arithmetic would work fine.
3586 *
3587 * 8-bit log table
3588 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3589 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3590 * mantissa. The numbers are 32-bit fractions.
3591 */
3592 static const png_uint_32
3593 png_8bit_l2[128] =
3594 {
3595 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3596 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3597 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3598 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3599 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3600 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3601 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3602 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3603 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3604 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3605 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3606 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3607 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3608 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3609 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3610 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3611 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3612 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3613 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3614 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3615 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3616 24347096U, 0U
3617
3618 #if 0
3619 /* The following are the values for 16-bit tables - these work fine for the
3620 * 8-bit conversions but produce very slightly larger errors in the 16-bit
3621 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3622 * use these all the shifts below must be adjusted appropriately.
3623 */
3624 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3625 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3626 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3627 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3628 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3629 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3630 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3631 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3632 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3633 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3634 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3635 1119, 744, 372
3636 #endif
3637 };
3638
3639 static png_int_32
3640 png_log8bit(unsigned int x)
3641 {
3642 unsigned int lg2 = 0;
3643 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3644 * because the log is actually negate that means adding 1. The final
3645 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3646 * input), return -1 for the overflow (log 0) case, - so the result is
3647 * always at most 19 bits.
3648 */
3649 if ((x &= 0xff) == 0)
3650 return -1;
3651
3652 if ((x & 0xf0) == 0)
3653 lg2 = 4, x <<= 4;
3654
3655 if ((x & 0xc0) == 0)
3656 lg2 += 2, x <<= 2;
3657
3658 if ((x & 0x80) == 0)
3659 lg2 += 1, x <<= 1;
3660
3661 /* result is at most 19 bits, so this cast is safe: */
3662 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3663 }
3664
3665 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3666 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3667 * get an approximation then multiply the approximation by a correction factor
3668 * determined by the remaining up to 8 bits. This requires an additional step
3669 * in the 16-bit case.
3670 *
3671 * We want log2(value/65535), we have log2(v'/255), where:
3672 *
3673 * value = v' * 256 + v''
3674 * = v' * f
3675 *
3676 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3677 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3678 * than 258. The final factor also needs to correct for the fact that our 8-bit
3679 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3680 *
3681 * This gives a final formula using a calculated value 'x' which is value/v' and
3682 * scaling by 65536 to match the above table:
3683 *
3684 * log2(x/257) * 65536
3685 *
3686 * Since these numbers are so close to '1' we can use simple linear
3687 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3688 * (result 367.179). The values used below are scaled by a further 64 to give
3689 * 16-bit precision in the interpolation:
3690 *
3691 * Start (256): -23591
3692 * Zero (257): 0
3693 * End (258): 23499
3694 */
3695 #ifdef PNG_16BIT_SUPPORTED
3696 static png_int_32
3697 png_log16bit(png_uint_32 x)
3698 {
3699 unsigned int lg2 = 0;
3700
3701 /* As above, but now the input has 16 bits. */
3702 if ((x &= 0xffff) == 0)
3703 return -1;
3704
3705 if ((x & 0xff00) == 0)
3706 lg2 = 8, x <<= 8;
3707
3708 if ((x & 0xf000) == 0)
3709 lg2 += 4, x <<= 4;
3710
3711 if ((x & 0xc000) == 0)
3712 lg2 += 2, x <<= 2;
3713
3714 if ((x & 0x8000) == 0)
3715 lg2 += 1, x <<= 1;
3716
3717 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3718 * value.
3719 */
3720 lg2 <<= 28;
3721 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3722
3723 /* Now we need to interpolate the factor, this requires a division by the top
3724 * 8 bits. Do this with maximum precision.
3725 */
3726 x = ((x << 16) + (x >> 9)) / (x >> 8);
3727
3728 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3729 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3730 * 16 bits to interpolate to get the low bits of the result. Round the
3731 * answer. Note that the end point values are scaled by 64 to retain overall
3732 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3733 * the overall scaling by 6-12. Round at every step.
3734 */
3735 x -= 1U << 24;
3736
3737 if (x <= 65536U) /* <= '257' */
3738 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3739
3740 else
3741 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3742
3743 /* Safe, because the result can't have more than 20 bits: */
3744 return (png_int_32)((lg2 + 2048) >> 12);
3745 }
3746 #endif /* 16BIT */
3747
3748 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3749 * logarithmic value and returning a 16 or 8-bit number as appropriate. In
3750 * each case only the low 16 bits are relevant - the fraction - since the
3751 * integer bits (the top 4) simply determine a shift.
3752 *
3753 * The worst case is the 16-bit distinction between 65535 and 65534. This
3754 * requires perhaps spurious accuracy in the decoding of the logarithm to
3755 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3756 * of getting this accuracy in practice.
3757 *
3758 * To deal with this the following exp() function works out the exponent of the
3759 * fractional part of the logarithm by using an accurate 32-bit value from the
3760 * top four fractional bits then multiplying in the remaining bits.
3761 */
3762 static const png_uint_32
3763 png_32bit_exp[16] =
3764 {
3765 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3766 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3767 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3768 2553802834U, 2445529972U, 2341847524U, 2242560872U
3769 };
3770
3771 /* Adjustment table; provided to explain the numbers in the code below. */
3772 #if 0
3773 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3774 11 44937.64284865548751208448
3775 10 45180.98734845585101160448
3776 9 45303.31936980687359311872
3777 8 45364.65110595323018870784
3778 7 45395.35850361789624614912
3779 6 45410.72259715102037508096
3780 5 45418.40724413220722311168
3781 4 45422.25021786898173001728
3782 3 45424.17186732298419044352
3783 2 45425.13273269940811464704
3784 1 45425.61317555035558641664
3785 0 45425.85339951654943850496
3786 #endif
3787
3788 static png_uint_32
3789 png_exp(png_fixed_point x)
3790 {
3791 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3792 {
3793 /* Obtain a 4-bit approximation */
3794 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3795
3796 /* Incorporate the low 12 bits - these decrease the returned value by
3797 * multiplying by a number less than 1 if the bit is set. The multiplier
3798 * is determined by the above table and the shift. Notice that the values
3799 * converge on 45426 and this is used to allow linear interpolation of the
3800 * low bits.
3801 */
3802 if (x & 0x800)
3803 e -= (((e >> 16) * 44938U) + 16U) >> 5;
3804
3805 if (x & 0x400)
3806 e -= (((e >> 16) * 45181U) + 32U) >> 6;
3807
3808 if (x & 0x200)
3809 e -= (((e >> 16) * 45303U) + 64U) >> 7;
3810
3811 if (x & 0x100)
3812 e -= (((e >> 16) * 45365U) + 128U) >> 8;
3813
3814 if (x & 0x080)
3815 e -= (((e >> 16) * 45395U) + 256U) >> 9;
3816
3817 if (x & 0x040)
3818 e -= (((e >> 16) * 45410U) + 512U) >> 10;
3819
3820 /* And handle the low 6 bits in a single block. */
3821 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3822
3823 /* Handle the upper bits of x. */
3824 e >>= x >> 16;
3825 return e;
3826 }
3827
3828 /* Check for overflow */
3829 if (x <= 0)
3830 return png_32bit_exp[0];
3831
3832 /* Else underflow */
3833 return 0;
3834 }
3835
3836 static png_byte
3837 png_exp8bit(png_fixed_point lg2)
3838 {
3839 /* Get a 32-bit value: */
3840 png_uint_32 x = png_exp(lg2);
3841
3842 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3843 * second, rounding, step can't overflow because of the first, subtraction,
3844 * step.
3845 */
3846 x -= x >> 8;
3847 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3848 }
3849
3850 #ifdef PNG_16BIT_SUPPORTED
3851 static png_uint_16
3852 png_exp16bit(png_fixed_point lg2)
3853 {
3854 /* Get a 32-bit value: */
3855 png_uint_32 x = png_exp(lg2);
3856
3857 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3858 x -= x >> 16;
3859 return (png_uint_16)((x + 32767U) >> 16);
3860 }
3861 #endif /* 16BIT */
3862 #endif /* FLOATING_ARITHMETIC */
3863
3864 png_byte
3865 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3866 {
3867 if (value > 0 && value < 255)
3868 {
3869 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3870 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3871 * convert this to a floating point value. This includes values that
3872 * would overflow if 'value' were to be converted to 'int'.
3873 *
3874 * Apparently GCC, however, does an intermediate conversion to (int)
3875 * on some (ARM) but not all (x86) platforms, possibly because of
3876 * hardware FP limitations. (E.g. if the hardware conversion always
3877 * assumes the integer register contains a signed value.) This results
3878 * in ANSI-C undefined behavior for large values.
3879 *
3880 * Other implementations on the same machine might actually be ANSI-C90
3881 * conformant and therefore compile spurious extra code for the large
3882 * values.
3883 *
3884 * We can be reasonably sure that an unsigned to float conversion
3885 * won't be faster than an int to float one. Therefore this code
3886 * assumes responsibility for the undefined behavior, which it knows
3887 * can't happen because of the check above.
3888 *
3889 * Note the argument to this routine is an (unsigned int) because, on
3890 * 16-bit platforms, it is assigned a value which might be out of
3891 * range for an (int); that would result in undefined behavior in the
3892 * caller if the *argument* ('value') were to be declared (int).
3893 */
3894 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3895 return (png_byte)r;
3896 # else
3897 png_int_32 lg2 = png_log8bit(value);
3898 png_fixed_point res;
3899
3900 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3901 return png_exp8bit(res);
3902
3903 /* Overflow. */
3904 value = 0;
3905 # endif
3906 }
3907
3908 return (png_byte)(value & 0xff);
3909 }
3910
3911 #ifdef PNG_16BIT_SUPPORTED
3912 png_uint_16
3913 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3914 {
3915 if (value > 0 && value < 65535)
3916 {
3917 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3918 /* The same (unsigned int)->(double) constraints apply here as above,
3919 * however in this case the (unsigned int) to (int) conversion can
3920 * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3921 * that this is not possible.
3922 */
3923 double r = floor(65535*pow((png_int_32)value/65535.,
3924 gamma_val*.00001)+.5);
3925 return (png_uint_16)r;
3926 # else
3927 png_int_32 lg2 = png_log16bit(value);
3928 png_fixed_point res;
3929
3930 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3931 return png_exp16bit(res);
3932
3933 /* Overflow. */
3934 value = 0;
3935 # endif
3936 }
3937
3938 return (png_uint_16)value;
3939 }
3940 #endif /* 16BIT */
3941
3942 /* This does the right thing based on the bit_depth field of the
3943 * png_struct, interpreting values as 8-bit or 16-bit. While the result
3944 * is nominally a 16-bit value if bit depth is 8 then the result is
3945 * 8-bit (as are the arguments.)
3946 */
3947 png_uint_16 /* PRIVATE */
3948 png_gamma_correct(png_structrp png_ptr, unsigned int value,
3949 png_fixed_point gamma_val)
3950 {
3951 if (png_ptr->bit_depth == 8)
3952 return png_gamma_8bit_correct(value, gamma_val);
3953
3954 #ifdef PNG_16BIT_SUPPORTED
3955 else
3956 return png_gamma_16bit_correct(value, gamma_val);
3957 #else
3958 /* should not reach this */
3959 return 0;
3960 #endif /* 16BIT */
3961 }
3962
3963 #ifdef PNG_16BIT_SUPPORTED
3964 /* Internal function to build a single 16-bit table - the table consists of
3965 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3966 * to shift the input values right (or 16-number_of_signifiant_bits).
3967 *
3968 * The caller is responsible for ensuring that the table gets cleaned up on
3969 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3970 * should be somewhere that will be cleaned.
3971 */
3972 static void
3973 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
3974 unsigned int shift, png_fixed_point gamma_val)
3975 {
3976 /* Various values derived from 'shift': */
3977 unsigned int num = 1U << (8U - shift);
3978 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3979 /* CSE the division and work round wacky GCC warnings (see the comments
3980 * in png_gamma_8bit_correct for where these come from.)
3981 */
3982 double fmax = 1.0 / (((png_int_32)1 << (16U - shift)) - 1);
3983 #endif
3984 unsigned int max = (1U << (16U - shift)) - 1U;
3985 unsigned int max_by_2 = 1U << (15U - shift);
3986 unsigned int i;
3987
3988 png_uint_16pp table = *ptable =
3989 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3990
3991 for (i = 0; i < num; i++)
3992 {
3993 png_uint_16p sub_table = table[i] =
3994 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
3995
3996 /* The 'threshold' test is repeated here because it can arise for one of
3997 * the 16-bit tables even if the others don't hit it.
3998 */
3999 if (png_gamma_significant(gamma_val) != 0)
4000 {
4001 /* The old code would overflow at the end and this would cause the
4002 * 'pow' function to return a result >1, resulting in an
4003 * arithmetic error. This code follows the spec exactly; ig is
4004 * the recovered input sample, it always has 8-16 bits.
4005 *
4006 * We want input * 65535/max, rounded, the arithmetic fits in 32
4007 * bits (unsigned) so long as max <= 32767.
4008 */
4009 unsigned int j;
4010 for (j = 0; j < 256; j++)
4011 {
4012 png_uint_32 ig = (j << (8-shift)) + i;
4013 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4014 /* Inline the 'max' scaling operation: */
4015 /* See png_gamma_8bit_correct for why the cast to (int) is
4016 * required here.
4017 */
4018 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
4019 sub_table[j] = (png_uint_16)d;
4020 # else
4021 if (shift != 0)
4022 ig = (ig * 65535U + max_by_2)/max;
4023
4024 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
4025 # endif
4026 }
4027 }
4028 else
4029 {
4030 /* We must still build a table, but do it the fast way. */
4031 unsigned int j;
4032
4033 for (j = 0; j < 256; j++)
4034 {
4035 png_uint_32 ig = (j << (8-shift)) + i;
4036
4037 if (shift != 0)
4038 ig = (ig * 65535U + max_by_2)/max;
4039
4040 sub_table[j] = (png_uint_16)ig;
4041 }
4042 }
4043 }
4044 }
4045
4046 /* NOTE: this function expects the *inverse* of the overall gamma transformation
4047 * required.
4048 */
4049 static void
4050 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4051 unsigned int shift, png_fixed_point gamma_val)
4052 {
4053 unsigned int num = 1U << (8U - shift);
4054 unsigned int max = (1U << (16U - shift))-1U;
4055 unsigned int i;
4056 png_uint_32 last;
4057
4058 png_uint_16pp table = *ptable =
4059 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4060
4061 /* 'num' is the number of tables and also the number of low bits of low
4062 * bits of the input 16-bit value used to select a table. Each table is
4063 * itself indexed by the high 8 bits of the value.
4064 */
4065 for (i = 0; i < num; i++)
4066 table[i] = (png_uint_16p)png_malloc(png_ptr,
4067 256 * (sizeof (png_uint_16)));
4068
4069 /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4070 * pow(out,g) is an *input* value. 'last' is the last input value set.
4071 *
4072 * In the loop 'i' is used to find output values. Since the output is
4073 * 8-bit there are only 256 possible values. The tables are set up to
4074 * select the closest possible output value for each input by finding
4075 * the input value at the boundary between each pair of output values
4076 * and filling the table up to that boundary with the lower output
4077 * value.
4078 *
4079 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit
4080 * values the code below uses a 16-bit value in i; the values start at
4081 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4082 * entries are filled with 255). Start i at 128 and fill all 'last'
4083 * table entries <= 'max'
4084 */
4085 last = 0;
4086 for (i = 0; i < 255; ++i) /* 8-bit output value */
4087 {
4088 /* Find the corresponding maximum input value */
4089 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4090
4091 /* Find the boundary value in 16 bits: */
4092 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4093
4094 /* Adjust (round) to (16-shift) bits: */
4095 bound = (bound * max + 32768U)/65535U + 1U;
4096
4097 while (last < bound)
4098 {
4099 table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4100 last++;
4101 }
4102 }
4103
4104 /* And fill in the final entries. */
4105 while (last < (num << 8))
4106 {
4107 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4108 last++;
4109 }
4110 }
4111 #endif /* 16BIT */
4112
4113 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4114 * typically much faster). Note that libpng currently does no sBIT processing
4115 * (apparently contrary to the spec) so a 256-entry table is always generated.
4116 */
4117 static void
4118 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4119 png_fixed_point gamma_val)
4120 {
4121 unsigned int i;
4122 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4123
4124 if (png_gamma_significant(gamma_val) != 0)
4125 for (i=0; i<256; i++)
4126 table[i] = png_gamma_8bit_correct(i, gamma_val);
4127
4128 else
4129 for (i=0; i<256; ++i)
4130 table[i] = (png_byte)(i & 0xff);
4131 }
4132
4133 /* Used from png_read_destroy and below to release the memory used by the gamma
4134 * tables.
4135 */
4136 void /* PRIVATE */
4137 png_destroy_gamma_table(png_structrp png_ptr)
4138 {
4139 png_free(png_ptr, png_ptr->gamma_table);
4140 png_ptr->gamma_table = NULL;
4141
4142 #ifdef PNG_16BIT_SUPPORTED
4143 if (png_ptr->gamma_16_table != NULL)
4144 {
4145 int i;
4146 int istop = (1 << (8 - png_ptr->gamma_shift));
4147 for (i = 0; i < istop; i++)
4148 {
4149 png_free(png_ptr, png_ptr->gamma_16_table[i]);
4150 }
4151 png_free(png_ptr, png_ptr->gamma_16_table);
4152 png_ptr->gamma_16_table = NULL;
4153 }
4154 #endif /* 16BIT */
4155
4156 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4157 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4158 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4159 png_free(png_ptr, png_ptr->gamma_from_1);
4160 png_ptr->gamma_from_1 = NULL;
4161 png_free(png_ptr, png_ptr->gamma_to_1);
4162 png_ptr->gamma_to_1 = NULL;
4163
4164 #ifdef PNG_16BIT_SUPPORTED
4165 if (png_ptr->gamma_16_from_1 != NULL)
4166 {
4167 int i;
4168 int istop = (1 << (8 - png_ptr->gamma_shift));
4169 for (i = 0; i < istop; i++)
4170 {
4171 png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4172 }
4173 png_free(png_ptr, png_ptr->gamma_16_from_1);
4174 png_ptr->gamma_16_from_1 = NULL;
4175 }
4176 if (png_ptr->gamma_16_to_1 != NULL)
4177 {
4178 int i;
4179 int istop = (1 << (8 - png_ptr->gamma_shift));
4180 for (i = 0; i < istop; i++)
4181 {
4182 png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4183 }
4184 png_free(png_ptr, png_ptr->gamma_16_to_1);
4185 png_ptr->gamma_16_to_1 = NULL;
4186 }
4187 #endif /* 16BIT */
4188 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4189 }
4190
4191 /* We build the 8- or 16-bit gamma tables here. Note that for 16-bit
4192 * tables, we don't make a full table if we are reducing to 8-bit in
4193 * the future. Note also how the gamma_16 tables are segmented so that
4194 * we don't need to allocate > 64K chunks for a full 16-bit table.
4195 */
4196 void /* PRIVATE */
4197 png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4198 {
4199 png_debug(1, "in png_build_gamma_table");
4200
4201 /* Remove any existing table; this copes with multiple calls to
4202 * png_read_update_info. The warning is because building the gamma tables
4203 * multiple times is a performance hit - it's harmless but the ability to
4204 * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4205 * sensible to warn if the app introduces such a hit.
4206 */
4207 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4208 {
4209 png_warning(png_ptr, "gamma table being rebuilt");
4210 png_destroy_gamma_table(png_ptr);
4211 }
4212
4213 if (bit_depth <= 8)
4214 {
4215 png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4216 png_ptr->screen_gamma > 0 ?
4217 png_reciprocal2(png_ptr->colorspace.gamma,
4218 png_ptr->screen_gamma) : PNG_FP_1);
4219
4220 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4221 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4222 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4223 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4224 {
4225 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4226 png_reciprocal(png_ptr->colorspace.gamma));
4227
4228 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4229 png_ptr->screen_gamma > 0 ?
4230 png_reciprocal(png_ptr->screen_gamma) :
4231 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4232 }
4233 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4234 }
4235 #ifdef PNG_16BIT_SUPPORTED
4236 else
4237 {
4238 png_byte shift, sig_bit;
4239
4240 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4241 {
4242 sig_bit = png_ptr->sig_bit.red;
4243
4244 if (png_ptr->sig_bit.green > sig_bit)
4245 sig_bit = png_ptr->sig_bit.green;
4246
4247 if (png_ptr->sig_bit.blue > sig_bit)
4248 sig_bit = png_ptr->sig_bit.blue;
4249 }
4250 else
4251 sig_bit = png_ptr->sig_bit.gray;
4252
4253 /* 16-bit gamma code uses this equation:
4254 *
4255 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4256 *
4257 * Where 'iv' is the input color value and 'ov' is the output value -
4258 * pow(iv, gamma).
4259 *
4260 * Thus the gamma table consists of up to 256 256-entry tables. The table
4261 * is selected by the (8-gamma_shift) most significant of the low 8 bits
4262 * of the color value then indexed by the upper 8 bits:
4263 *
4264 * table[low bits][high 8 bits]
4265 *
4266 * So the table 'n' corresponds to all those 'iv' of:
4267 *
4268 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4269 *
4270 */
4271 if (sig_bit > 0 && sig_bit < 16U)
4272 /* shift == insignificant bits */
4273 shift = (png_byte)((16U - sig_bit) & 0xff);
4274
4275 else
4276 shift = 0; /* keep all 16 bits */
4277
4278 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4279 {
4280 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4281 * the significant bits in the *input* when the output will
4282 * eventually be 8 bits. By default it is 11.
4283 */
4284 if (shift < (16U - PNG_MAX_GAMMA_8))
4285 shift = (16U - PNG_MAX_GAMMA_8);
4286 }
4287
4288 if (shift > 8U)
4289 shift = 8U; /* Guarantees at least one table! */
4290
4291 png_ptr->gamma_shift = shift;
4292
4293 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4294 * PNG_COMPOSE). This effectively smashed the background calculation for
4295 * 16-bit output because the 8-bit table assumes the result will be
4296 * reduced to 8 bits.
4297 */
4298 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4299 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4300 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4301 png_ptr->screen_gamma) : PNG_FP_1);
4302
4303 else
4304 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4305 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4306 png_ptr->screen_gamma) : PNG_FP_1);
4307
4308 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4309 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4310 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4311 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4312 {
4313 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4314 png_reciprocal(png_ptr->colorspace.gamma));
4315
4316 /* Notice that the '16 from 1' table should be full precision, however
4317 * the lookup on this table still uses gamma_shift, so it can't be.
4318 * TODO: fix this.
4319 */
4320 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4321 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4322 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4323 }
4324 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4325 }
4326 #endif /* 16BIT */
4327 }
4328 #endif /* READ_GAMMA */
4329
4330 /* HARDWARE OR SOFTWARE OPTION SUPPORT */
4331 #ifdef PNG_SET_OPTION_SUPPORTED
4332 int PNGAPI
4333 png_set_option(png_structrp png_ptr, int option, int onoff)
4334 {
4335 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4336 (option & 1) == 0)
4337 {
4338 png_uint_32 mask = 3U << option;
4339 png_uint_32 setting = (2U + (onoff != 0)) << option;
4340 png_uint_32 current = png_ptr->options;
4341
4342 png_ptr->options = (png_uint_32)((current & ~mask) | setting);
4343
4344 return (int)(current & mask) >> option;
4345 }
4346
4347 return PNG_OPTION_INVALID;
4348 }
4349 #endif
4350
4351 /* sRGB support */
4352 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4353 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4354 /* sRGB conversion tables; these are machine generated with the code in
4355 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
4356 * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4357 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4358 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4359 * The inverse (linear to sRGB) table has accuracies as follows:
4360 *
4361 * For all possible (255*65535+1) input values:
4362 *
4363 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4364 *
4365 * For the input values corresponding to the 65536 16-bit values:
4366 *
4367 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4368 *
4369 * In all cases the inexact readings are only off by one.
4370 */
4371
4372 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4373 /* The convert-to-sRGB table is only currently required for read. */
4374 const png_uint_16 png_sRGB_table[256] =
4375 {
4376 0,20,40,60,80,99,119,139,
4377 159,179,199,219,241,264,288,313,
4378 340,367,396,427,458,491,526,562,
4379 599,637,677,718,761,805,851,898,
4380 947,997,1048,1101,1156,1212,1270,1330,
4381 1391,1453,1517,1583,1651,1720,1790,1863,
4382 1937,2013,2090,2170,2250,2333,2418,2504,
4383 2592,2681,2773,2866,2961,3058,3157,3258,
4384 3360,3464,3570,3678,3788,3900,4014,4129,
4385 4247,4366,4488,4611,4736,4864,4993,5124,
4386 5257,5392,5530,5669,5810,5953,6099,6246,
4387 6395,6547,6700,6856,7014,7174,7335,7500,
4388 7666,7834,8004,8177,8352,8528,8708,8889,
4389 9072,9258,9445,9635,9828,10022,10219,10417,
4390 10619,10822,11028,11235,11446,11658,11873,12090,
4391 12309,12530,12754,12980,13209,13440,13673,13909,
4392 14146,14387,14629,14874,15122,15371,15623,15878,
4393 16135,16394,16656,16920,17187,17456,17727,18001,
4394 18277,18556,18837,19121,19407,19696,19987,20281,
4395 20577,20876,21177,21481,21787,22096,22407,22721,
4396 23038,23357,23678,24002,24329,24658,24990,25325,
4397 25662,26001,26344,26688,27036,27386,27739,28094,
4398 28452,28813,29176,29542,29911,30282,30656,31033,
4399 31412,31794,32179,32567,32957,33350,33745,34143,
4400 34544,34948,35355,35764,36176,36591,37008,37429,
4401 37852,38278,38706,39138,39572,40009,40449,40891,
4402 41337,41785,42236,42690,43147,43606,44069,44534,
4403 45002,45473,45947,46423,46903,47385,47871,48359,
4404 48850,49344,49841,50341,50844,51349,51858,52369,
4405 52884,53401,53921,54445,54971,55500,56032,56567,
4406 57105,57646,58190,58737,59287,59840,60396,60955,
4407 61517,62082,62650,63221,63795,64372,64952,65535
4408 };
4409 #endif /* SIMPLIFIED_READ */
4410
4411 /* The base/delta tables are required for both read and write (but currently
4412 * only the simplified versions.)
4413 */
4414 const png_uint_16 png_sRGB_base[512] =
4415 {
4416 128,1782,3383,4644,5675,6564,7357,8074,
4417 8732,9346,9921,10463,10977,11466,11935,12384,
4418 12816,13233,13634,14024,14402,14769,15125,15473,
4419 15812,16142,16466,16781,17090,17393,17690,17981,
4420 18266,18546,18822,19093,19359,19621,19879,20133,
4421 20383,20630,20873,21113,21349,21583,21813,22041,
4422 22265,22487,22707,22923,23138,23350,23559,23767,
4423 23972,24175,24376,24575,24772,24967,25160,25352,
4424 25542,25730,25916,26101,26284,26465,26645,26823,
4425 27000,27176,27350,27523,27695,27865,28034,28201,
4426 28368,28533,28697,28860,29021,29182,29341,29500,
4427 29657,29813,29969,30123,30276,30429,30580,30730,
4428 30880,31028,31176,31323,31469,31614,31758,31902,
4429 32045,32186,32327,32468,32607,32746,32884,33021,
4430 33158,33294,33429,33564,33697,33831,33963,34095,
4431 34226,34357,34486,34616,34744,34873,35000,35127,
4432 35253,35379,35504,35629,35753,35876,35999,36122,
4433 36244,36365,36486,36606,36726,36845,36964,37083,
4434 37201,37318,37435,37551,37668,37783,37898,38013,
4435 38127,38241,38354,38467,38580,38692,38803,38915,
4436 39026,39136,39246,39356,39465,39574,39682,39790,
4437 39898,40005,40112,40219,40325,40431,40537,40642,
4438 40747,40851,40955,41059,41163,41266,41369,41471,
4439 41573,41675,41777,41878,41979,42079,42179,42279,
4440 42379,42478,42577,42676,42775,42873,42971,43068,
4441 43165,43262,43359,43456,43552,43648,43743,43839,
4442 43934,44028,44123,44217,44311,44405,44499,44592,
4443 44685,44778,44870,44962,45054,45146,45238,45329,
4444 45420,45511,45601,45692,45782,45872,45961,46051,
4445 46140,46229,46318,46406,46494,46583,46670,46758,
4446 46846,46933,47020,47107,47193,47280,47366,47452,
4447 47538,47623,47709,47794,47879,47964,48048,48133,
4448 48217,48301,48385,48468,48552,48635,48718,48801,
4449 48884,48966,49048,49131,49213,49294,49376,49458,
4450 49539,49620,49701,49782,49862,49943,50023,50103,
4451 50183,50263,50342,50422,50501,50580,50659,50738,
4452 50816,50895,50973,51051,51129,51207,51285,51362,
4453 51439,51517,51594,51671,51747,51824,51900,51977,
4454 52053,52129,52205,52280,52356,52432,52507,52582,
4455 52657,52732,52807,52881,52956,53030,53104,53178,
4456 53252,53326,53400,53473,53546,53620,53693,53766,
4457 53839,53911,53984,54056,54129,54201,54273,54345,
4458 54417,54489,54560,54632,54703,54774,54845,54916,
4459 54987,55058,55129,55199,55269,55340,55410,55480,
4460 55550,55620,55689,55759,55828,55898,55967,56036,
4461 56105,56174,56243,56311,56380,56448,56517,56585,
4462 56653,56721,56789,56857,56924,56992,57059,57127,
4463 57194,57261,57328,57395,57462,57529,57595,57662,
4464 57728,57795,57861,57927,57993,58059,58125,58191,
4465 58256,58322,58387,58453,58518,58583,58648,58713,
4466 58778,58843,58908,58972,59037,59101,59165,59230,
4467 59294,59358,59422,59486,59549,59613,59677,59740,
4468 59804,59867,59930,59993,60056,60119,60182,60245,
4469 60308,60370,60433,60495,60558,60620,60682,60744,
4470 60806,60868,60930,60992,61054,61115,61177,61238,
4471 61300,61361,61422,61483,61544,61605,61666,61727,
4472 61788,61848,61909,61969,62030,62090,62150,62211,
4473 62271,62331,62391,62450,62510,62570,62630,62689,
4474 62749,62808,62867,62927,62986,63045,63104,63163,
4475 63222,63281,63340,63398,63457,63515,63574,63632,
4476 63691,63749,63807,63865,63923,63981,64039,64097,
4477 64155,64212,64270,64328,64385,64443,64500,64557,
4478 64614,64672,64729,64786,64843,64900,64956,65013,
4479 65070,65126,65183,65239,65296,65352,65409,65465
4480 };
4481
4482 const png_byte png_sRGB_delta[512] =
4483 {
4484 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4485 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4486 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4487 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4488 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4489 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4490 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4491 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4492 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4493 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4494 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4495 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4496 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4497 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4498 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4499 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4500 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4501 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4502 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4503 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4504 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4505 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4506 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4507 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4508 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4509 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4510 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4511 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4512 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4513 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4514 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4515 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4516 };
4517 #endif /* SIMPLIFIED READ/WRITE sRGB support */
4518
4519 /* SIMPLIFIED READ/WRITE SUPPORT */
4520 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4521 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4522 static int
4523 png_image_free_function(png_voidp argument)
4524 {
4525 png_imagep image = png_voidcast(png_imagep, argument);
4526 png_controlp cp = image->opaque;
4527 png_control c;
4528
4529 /* Double check that we have a png_ptr - it should be impossible to get here
4530 * without one.
4531 */
4532 if (cp->png_ptr == NULL)
4533 return 0;
4534
4535 /* First free any data held in the control structure. */
4536 # ifdef PNG_STDIO_SUPPORTED
4537 if (cp->owned_file != 0)
4538 {
4539 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4540 cp->owned_file = 0;
4541
4542 /* Ignore errors here. */
4543 if (fp != NULL)
4544 {
4545 cp->png_ptr->io_ptr = NULL;
4546 (void)fclose(fp);
4547 }
4548 }
4549 # endif
4550
4551 /* Copy the control structure so that the original, allocated, version can be
4552 * safely freed. Notice that a png_error here stops the remainder of the
4553 * cleanup, but this is probably fine because that would indicate bad memory
4554 * problems anyway.
4555 */
4556 c = *cp;
4557 image->opaque = &c;
4558 png_free(c.png_ptr, cp);
4559
4560 /* Then the structures, calling the correct API. */
4561 if (c.for_write != 0)
4562 {
4563 # ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4564 png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4565 # else
4566 png_error(c.png_ptr, "simplified write not supported");
4567 # endif
4568 }
4569 else
4570 {
4571 # ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4572 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4573 # else
4574 png_error(c.png_ptr, "simplified read not supported");
4575 # endif
4576 }
4577
4578 /* Success. */
4579 return 1;
4580 }
4581
4582 void PNGAPI
4583 png_image_free(png_imagep image)
4584 {
4585 /* Safely call the real function, but only if doing so is safe at this point
4586 * (if not inside an error handling context). Otherwise assume
4587 * png_safe_execute will call this API after the return.
4588 */
4589 if (image != NULL && image->opaque != NULL &&
4590 image->opaque->error_buf == NULL)
4591 {
4592 png_image_free_function(image);
4593 image->opaque = NULL;
4594 }
4595 }
4596
4597 int /* PRIVATE */
4598 png_image_error(png_imagep image, png_const_charp error_message)
4599 {
4600 /* Utility to log an error. */
4601 png_safecat(image->message, (sizeof image->message), 0, error_message);
4602 image->warning_or_error |= PNG_IMAGE_ERROR;
4603 png_image_free(image);
4604 return 0;
4605 }
4606
4607 #endif /* SIMPLIFIED READ/WRITE */
4608 #endif /* READ || WRITE */
4609