1/* png.c - location for general purpose libpng functions2*3* Last changed in libpng 1.6.33 [September 28, 2017]4* Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson5* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)6* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)7*8* This code is released under the libpng license.9* For conditions of distribution and use, see the disclaimer10* and license in png.h11*/1213#include "pngpriv.h"1415/* Generate a compiler error if there is an old png.h in the search path. */16typedef png_libpng_version_1_6_34 Your_png_h_is_not_version_1_6_34;1718#ifdef __GNUC__19/* The version tests may need to be added to, but the problem warning has20* consistently been fixed in GCC versions which obtain wide-spread release.21* The problem is that many versions of GCC rearrange comparison expressions in22* the optimizer in such a way that the results of the comparison will change23* if signed integer overflow occurs. Such comparisons are not permitted in24* ANSI C90, however GCC isn't clever enough to work out that that do not occur25* below in png_ascii_from_fp and png_muldiv, so it produces a warning with26* -Wextra. Unfortunately this is highly dependent on the optimizer and the27* machine architecture so the warning comes and goes unpredictably and is28* impossible to "fix", even were that a good idea.29*/30#if __GNUC__ == 7 && __GNUC_MINOR__ == 131#define GCC_STRICT_OVERFLOW 132#endif /* GNU 7.1.x */33#endif /* GNU */34#ifndef GCC_STRICT_OVERFLOW35#define GCC_STRICT_OVERFLOW 036#endif3738/* Tells libpng that we have already handled the first "num_bytes" bytes39* of the PNG file signature. If the PNG data is embedded into another40* stream we can set num_bytes = 8 so that libpng will not attempt to read41* or write any of the magic bytes before it starts on the IHDR.42*/4344#ifdef PNG_READ_SUPPORTED45void PNGAPI46png_set_sig_bytes(png_structrp png_ptr, int num_bytes)47{48unsigned int nb = (unsigned int)num_bytes;4950png_debug(1, "in png_set_sig_bytes");5152if (png_ptr == NULL)53return;5455if (num_bytes < 0)56nb = 0;5758if (nb > 8)59png_error(png_ptr, "Too many bytes for PNG signature");6061png_ptr->sig_bytes = (png_byte)nb;62}6364/* Checks whether the supplied bytes match the PNG signature. We allow65* checking less than the full 8-byte signature so that those apps that66* already read the first few bytes of a file to determine the file type67* can simply check the remaining bytes for extra assurance. Returns68* an integer less than, equal to, or greater than zero if sig is found,69* respectively, to be less than, to match, or be greater than the correct70* PNG signature (this is the same behavior as strcmp, memcmp, etc).71*/72int PNGAPI73png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check)74{75png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};7677if (num_to_check > 8)78num_to_check = 8;7980else if (num_to_check < 1)81return (-1);8283if (start > 7)84return (-1);8586if (start + num_to_check > 8)87num_to_check = 8 - start;8889return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));90}9192#endif /* READ */9394#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)95/* Function to allocate memory for zlib */96PNG_FUNCTION(voidpf /* PRIVATE */,97png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)98{99png_alloc_size_t num_bytes = size;100101if (png_ptr == NULL)102return NULL;103104if (items >= (~(png_alloc_size_t)0)/size)105{106png_warning (png_voidcast(png_structrp, png_ptr),107"Potential overflow in png_zalloc()");108return NULL;109}110111num_bytes *= items;112return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);113}114115/* Function to free memory for zlib */116void /* PRIVATE */117png_zfree(voidpf png_ptr, voidpf ptr)118{119png_free(png_voidcast(png_const_structrp,png_ptr), ptr);120}121122/* Reset the CRC variable to 32 bits of 1's. Care must be taken123* in case CRC is > 32 bits to leave the top bits 0.124*/125void /* PRIVATE */126png_reset_crc(png_structrp png_ptr)127{128/* The cast is safe because the crc is a 32-bit value. */129png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);130}131132/* Calculate the CRC over a section of data. We can only pass as133* much data to this routine as the largest single buffer size. We134* also check that this data will actually be used before going to the135* trouble of calculating it.136*/137void /* PRIVATE */138png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length)139{140int need_crc = 1;141142if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)143{144if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==145(PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))146need_crc = 0;147}148149else /* critical */150{151if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)152need_crc = 0;153}154155/* 'uLong' is defined in zlib.h as unsigned long; this means that on some156* systems it is a 64-bit value. crc32, however, returns 32 bits so the157* following cast is safe. 'uInt' may be no more than 16 bits, so it is158* necessary to perform a loop here.159*/160if (need_crc != 0 && length > 0)161{162uLong crc = png_ptr->crc; /* Should never issue a warning */163164do165{166uInt safe_length = (uInt)length;167#ifndef __COVERITY__168if (safe_length == 0)169safe_length = (uInt)-1; /* evil, but safe */170#endif171172crc = crc32(crc, ptr, safe_length);173174/* The following should never issue compiler warnings; if they do the175* target system has characteristics that will probably violate other176* assumptions within the libpng code.177*/178ptr += safe_length;179length -= safe_length;180}181while (length > 0);182183/* And the following is always safe because the crc is only 32 bits. */184png_ptr->crc = (png_uint_32)crc;185}186}187188/* Check a user supplied version number, called from both read and write189* functions that create a png_struct.190*/191int192png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)193{194/* Libpng versions 1.0.0 and later are binary compatible if the version195* string matches through the second '.'; we must recompile any196* applications that use any older library version.197*/198199if (user_png_ver != NULL)200{201int i = -1;202int found_dots = 0;203204do205{206i++;207if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])208png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;209if (user_png_ver[i] == '.')210found_dots++;211} while (found_dots < 2 && user_png_ver[i] != 0 &&212PNG_LIBPNG_VER_STRING[i] != 0);213}214215else216png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;217218if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)219{220#ifdef PNG_WARNINGS_SUPPORTED221size_t pos = 0;222char m[128];223224pos = png_safecat(m, (sizeof m), pos,225"Application built with libpng-");226pos = png_safecat(m, (sizeof m), pos, user_png_ver);227pos = png_safecat(m, (sizeof m), pos, " but running with ");228pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);229PNG_UNUSED(pos)230231png_warning(png_ptr, m);232#endif233234#ifdef PNG_ERROR_NUMBERS_SUPPORTED235png_ptr->flags = 0;236#endif237238return 0;239}240241/* Success return. */242return 1;243}244245/* Generic function to create a png_struct for either read or write - this246* contains the common initialization.247*/248PNG_FUNCTION(png_structp /* PRIVATE */,249png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,250png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,251png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)252{253png_struct create_struct;254# ifdef PNG_SETJMP_SUPPORTED255jmp_buf create_jmp_buf;256# endif257258/* This temporary stack-allocated structure is used to provide a place to259* build enough context to allow the user provided memory allocator (if any)260* to be called.261*/262memset(&create_struct, 0, (sizeof create_struct));263264/* Added at libpng-1.2.6 */265# ifdef PNG_USER_LIMITS_SUPPORTED266create_struct.user_width_max = PNG_USER_WIDTH_MAX;267create_struct.user_height_max = PNG_USER_HEIGHT_MAX;268269# ifdef PNG_USER_CHUNK_CACHE_MAX270/* Added at libpng-1.2.43 and 1.4.0 */271create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;272# endif273274# ifdef PNG_USER_CHUNK_MALLOC_MAX275/* Added at libpng-1.2.43 and 1.4.1, required only for read but exists276* in png_struct regardless.277*/278create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;279# endif280# endif281282/* The following two API calls simply set fields in png_struct, so it is safe283* to do them now even though error handling is not yet set up.284*/285# ifdef PNG_USER_MEM_SUPPORTED286png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);287# else288PNG_UNUSED(mem_ptr)289PNG_UNUSED(malloc_fn)290PNG_UNUSED(free_fn)291# endif292293/* (*error_fn) can return control to the caller after the error_ptr is set,294* this will result in a memory leak unless the error_fn does something295* extremely sophisticated. The design lacks merit but is implicit in the296* API.297*/298png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);299300# ifdef PNG_SETJMP_SUPPORTED301if (!setjmp(create_jmp_buf))302# endif303{304# ifdef PNG_SETJMP_SUPPORTED305/* Temporarily fake out the longjmp information until we have306* successfully completed this function. This only works if we have307* setjmp() support compiled in, but it is safe - this stuff should308* never happen.309*/310create_struct.jmp_buf_ptr = &create_jmp_buf;311create_struct.jmp_buf_size = 0; /*stack allocation*/312create_struct.longjmp_fn = longjmp;313# endif314/* Call the general version checker (shared with read and write code):315*/316if (png_user_version_check(&create_struct, user_png_ver) != 0)317{318png_structrp png_ptr = png_voidcast(png_structrp,319png_malloc_warn(&create_struct, (sizeof *png_ptr)));320321if (png_ptr != NULL)322{323/* png_ptr->zstream holds a back-pointer to the png_struct, so324* this can only be done now:325*/326create_struct.zstream.zalloc = png_zalloc;327create_struct.zstream.zfree = png_zfree;328create_struct.zstream.opaque = png_ptr;329330# ifdef PNG_SETJMP_SUPPORTED331/* Eliminate the local error handling: */332create_struct.jmp_buf_ptr = NULL;333create_struct.jmp_buf_size = 0;334create_struct.longjmp_fn = 0;335# endif336337*png_ptr = create_struct;338339/* This is the successful return point */340return png_ptr;341}342}343}344345/* A longjmp because of a bug in the application storage allocator or a346* simple failure to allocate the png_struct.347*/348return NULL;349}350351/* Allocate the memory for an info_struct for the application. */352PNG_FUNCTION(png_infop,PNGAPI353png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)354{355png_inforp info_ptr;356357png_debug(1, "in png_create_info_struct");358359if (png_ptr == NULL)360return NULL;361362/* Use the internal API that does not (or at least should not) error out, so363* that this call always returns ok. The application typically sets up the364* error handling *after* creating the info_struct because this is the way it365* has always been done in 'example.c'.366*/367info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,368(sizeof *info_ptr)));369370if (info_ptr != NULL)371memset(info_ptr, 0, (sizeof *info_ptr));372373return info_ptr;374}375376/* This function frees the memory associated with a single info struct.377* Normally, one would use either png_destroy_read_struct() or378* png_destroy_write_struct() to free an info struct, but this may be379* useful for some applications. From libpng 1.6.0 this function is also used380* internally to implement the png_info release part of the 'struct' destroy381* APIs. This ensures that all possible approaches free the same data (all of382* it).383*/384void PNGAPI385png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)386{387png_inforp info_ptr = NULL;388389png_debug(1, "in png_destroy_info_struct");390391if (png_ptr == NULL)392return;393394if (info_ptr_ptr != NULL)395info_ptr = *info_ptr_ptr;396397if (info_ptr != NULL)398{399/* Do this first in case of an error below; if the app implements its own400* memory management this can lead to png_free calling png_error, which401* will abort this routine and return control to the app error handler.402* An infinite loop may result if it then tries to free the same info403* ptr.404*/405*info_ptr_ptr = NULL;406407png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);408memset(info_ptr, 0, (sizeof *info_ptr));409png_free(png_ptr, info_ptr);410}411}412413/* Initialize the info structure. This is now an internal function (0.89)414* and applications using it are urged to use png_create_info_struct()415* instead. Use deprecated in 1.6.0, internal use removed (used internally it416* is just a memset).417*418* NOTE: it is almost inconceivable that this API is used because it bypasses419* the user-memory mechanism and the user error handling/warning mechanisms in420* those cases where it does anything other than a memset.421*/422PNG_FUNCTION(void,PNGAPI423png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size),424PNG_DEPRECATED)425{426png_inforp info_ptr = *ptr_ptr;427428png_debug(1, "in png_info_init_3");429430if (info_ptr == NULL)431return;432433if ((sizeof (png_info)) > png_info_struct_size)434{435*ptr_ptr = NULL;436/* The following line is why this API should not be used: */437free(info_ptr);438info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,439(sizeof *info_ptr)));440if (info_ptr == NULL)441return;442*ptr_ptr = info_ptr;443}444445/* Set everything to 0 */446memset(info_ptr, 0, (sizeof *info_ptr));447}448449/* The following API is not called internally */450void PNGAPI451png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,452int freer, png_uint_32 mask)453{454png_debug(1, "in png_data_freer");455456if (png_ptr == NULL || info_ptr == NULL)457return;458459if (freer == PNG_DESTROY_WILL_FREE_DATA)460info_ptr->free_me |= mask;461462else if (freer == PNG_USER_WILL_FREE_DATA)463info_ptr->free_me &= ~mask;464465else466png_error(png_ptr, "Unknown freer parameter in png_data_freer");467}468469void PNGAPI470png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,471int num)472{473png_debug(1, "in png_free_data");474475if (png_ptr == NULL || info_ptr == NULL)476return;477478#ifdef PNG_TEXT_SUPPORTED479/* Free text item num or (if num == -1) all text items */480if (info_ptr->text != NULL &&481((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)482{483if (num != -1)484{485png_free(png_ptr, info_ptr->text[num].key);486info_ptr->text[num].key = NULL;487}488489else490{491int i;492493for (i = 0; i < info_ptr->num_text; i++)494png_free(png_ptr, info_ptr->text[i].key);495496png_free(png_ptr, info_ptr->text);497info_ptr->text = NULL;498info_ptr->num_text = 0;499info_ptr->max_text = 0;500}501}502#endif503504#ifdef PNG_tRNS_SUPPORTED505/* Free any tRNS entry */506if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)507{508info_ptr->valid &= ~PNG_INFO_tRNS;509png_free(png_ptr, info_ptr->trans_alpha);510info_ptr->trans_alpha = NULL;511info_ptr->num_trans = 0;512}513#endif514515#ifdef PNG_sCAL_SUPPORTED516/* Free any sCAL entry */517if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)518{519png_free(png_ptr, info_ptr->scal_s_width);520png_free(png_ptr, info_ptr->scal_s_height);521info_ptr->scal_s_width = NULL;522info_ptr->scal_s_height = NULL;523info_ptr->valid &= ~PNG_INFO_sCAL;524}525#endif526527#ifdef PNG_pCAL_SUPPORTED528/* Free any pCAL entry */529if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)530{531png_free(png_ptr, info_ptr->pcal_purpose);532png_free(png_ptr, info_ptr->pcal_units);533info_ptr->pcal_purpose = NULL;534info_ptr->pcal_units = NULL;535536if (info_ptr->pcal_params != NULL)537{538int i;539540for (i = 0; i < info_ptr->pcal_nparams; i++)541png_free(png_ptr, info_ptr->pcal_params[i]);542543png_free(png_ptr, info_ptr->pcal_params);544info_ptr->pcal_params = NULL;545}546info_ptr->valid &= ~PNG_INFO_pCAL;547}548#endif549550#ifdef PNG_iCCP_SUPPORTED551/* Free any profile entry */552if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)553{554png_free(png_ptr, info_ptr->iccp_name);555png_free(png_ptr, info_ptr->iccp_profile);556info_ptr->iccp_name = NULL;557info_ptr->iccp_profile = NULL;558info_ptr->valid &= ~PNG_INFO_iCCP;559}560#endif561562#ifdef PNG_sPLT_SUPPORTED563/* Free a given sPLT entry, or (if num == -1) all sPLT entries */564if (info_ptr->splt_palettes != NULL &&565((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)566{567if (num != -1)568{569png_free(png_ptr, info_ptr->splt_palettes[num].name);570png_free(png_ptr, info_ptr->splt_palettes[num].entries);571info_ptr->splt_palettes[num].name = NULL;572info_ptr->splt_palettes[num].entries = NULL;573}574575else576{577int i;578579for (i = 0; i < info_ptr->splt_palettes_num; i++)580{581png_free(png_ptr, info_ptr->splt_palettes[i].name);582png_free(png_ptr, info_ptr->splt_palettes[i].entries);583}584585png_free(png_ptr, info_ptr->splt_palettes);586info_ptr->splt_palettes = NULL;587info_ptr->splt_palettes_num = 0;588info_ptr->valid &= ~PNG_INFO_sPLT;589}590}591#endif592593#ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED594if (info_ptr->unknown_chunks != NULL &&595((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)596{597if (num != -1)598{599png_free(png_ptr, info_ptr->unknown_chunks[num].data);600info_ptr->unknown_chunks[num].data = NULL;601}602603else604{605int i;606607for (i = 0; i < info_ptr->unknown_chunks_num; i++)608png_free(png_ptr, info_ptr->unknown_chunks[i].data);609610png_free(png_ptr, info_ptr->unknown_chunks);611info_ptr->unknown_chunks = NULL;612info_ptr->unknown_chunks_num = 0;613}614}615#endif616617#ifdef PNG_eXIf_SUPPORTED618/* Free any eXIf entry */619if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)620{621# ifdef PNG_READ_eXIf_SUPPORTED622if (info_ptr->eXIf_buf)623{624png_free(png_ptr, info_ptr->eXIf_buf);625info_ptr->eXIf_buf = NULL;626}627# endif628if (info_ptr->exif)629{630png_free(png_ptr, info_ptr->exif);631info_ptr->exif = NULL;632}633info_ptr->valid &= ~PNG_INFO_eXIf;634}635#endif636637#ifdef PNG_hIST_SUPPORTED638/* Free any hIST entry */639if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)640{641png_free(png_ptr, info_ptr->hist);642info_ptr->hist = NULL;643info_ptr->valid &= ~PNG_INFO_hIST;644}645#endif646647/* Free any PLTE entry that was internally allocated */648if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)649{650png_free(png_ptr, info_ptr->palette);651info_ptr->palette = NULL;652info_ptr->valid &= ~PNG_INFO_PLTE;653info_ptr->num_palette = 0;654}655656#ifdef PNG_INFO_IMAGE_SUPPORTED657/* Free any image bits attached to the info structure */658if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)659{660if (info_ptr->row_pointers != NULL)661{662png_uint_32 row;663for (row = 0; row < info_ptr->height; row++)664png_free(png_ptr, info_ptr->row_pointers[row]);665666png_free(png_ptr, info_ptr->row_pointers);667info_ptr->row_pointers = NULL;668}669info_ptr->valid &= ~PNG_INFO_IDAT;670}671#endif672673if (num != -1)674mask &= ~PNG_FREE_MUL;675676info_ptr->free_me &= ~mask;677}678#endif /* READ || WRITE */679680/* This function returns a pointer to the io_ptr associated with the user681* functions. The application should free any memory associated with this682* pointer before png_write_destroy() or png_read_destroy() are called.683*/684png_voidp PNGAPI685png_get_io_ptr(png_const_structrp png_ptr)686{687if (png_ptr == NULL)688return (NULL);689690return (png_ptr->io_ptr);691}692693#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)694# ifdef PNG_STDIO_SUPPORTED695/* Initialize the default input/output functions for the PNG file. If you696* use your own read or write routines, you can call either png_set_read_fn()697* or png_set_write_fn() instead of png_init_io(). If you have defined698* PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a699* function of your own because "FILE *" isn't necessarily available.700*/701void PNGAPI702png_init_io(png_structrp png_ptr, png_FILE_p fp)703{704png_debug(1, "in png_init_io");705706if (png_ptr == NULL)707return;708709png_ptr->io_ptr = (png_voidp)fp;710}711# endif712713# ifdef PNG_SAVE_INT_32_SUPPORTED714/* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90715* defines a cast of a signed integer to an unsigned integer either to preserve716* the value, if it is positive, or to calculate:717*718* (UNSIGNED_MAX+1) + integer719*720* Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the721* negative integral value is added the result will be an unsigned value722* correspnding to the 2's complement representation.723*/724void PNGAPI725png_save_int_32(png_bytep buf, png_int_32 i)726{727png_save_uint_32(buf, (png_uint_32)i);728}729# endif730731# ifdef PNG_TIME_RFC1123_SUPPORTED732/* Convert the supplied time into an RFC 1123 string suitable for use in733* a "Creation Time" or other text-based time string.734*/735int PNGAPI736png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)737{738static PNG_CONST char short_months[12][4] =739{"Jan", "Feb", "Mar", "Apr", "May", "Jun",740"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};741742if (out == NULL)743return 0;744745if (ptime->year > 9999 /* RFC1123 limitation */ ||746ptime->month == 0 || ptime->month > 12 ||747ptime->day == 0 || ptime->day > 31 ||748ptime->hour > 23 || ptime->minute > 59 ||749ptime->second > 60)750return 0;751752{753size_t pos = 0;754char number_buf[5]; /* enough for a four-digit year */755756# define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))757# define APPEND_NUMBER(format, value)\758APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))759# define APPEND(ch) if (pos < 28) out[pos++] = (ch)760761APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);762APPEND(' ');763APPEND_STRING(short_months[(ptime->month - 1)]);764APPEND(' ');765APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);766APPEND(' ');767APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);768APPEND(':');769APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);770APPEND(':');771APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);772APPEND_STRING(" +0000"); /* This reliably terminates the buffer */773PNG_UNUSED (pos)774775# undef APPEND776# undef APPEND_NUMBER777# undef APPEND_STRING778}779780return 1;781}782783# if PNG_LIBPNG_VER < 10700784/* To do: remove the following from libpng-1.7 */785/* Original API that uses a private buffer in png_struct.786* Deprecated because it causes png_struct to carry a spurious temporary787* buffer (png_struct::time_buffer), better to have the caller pass this in.788*/789png_const_charp PNGAPI790png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)791{792if (png_ptr != NULL)793{794/* The only failure above if png_ptr != NULL is from an invalid ptime */795if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)796png_warning(png_ptr, "Ignoring invalid time value");797798else799return png_ptr->time_buffer;800}801802return NULL;803}804# endif /* LIBPNG_VER < 10700 */805# endif /* TIME_RFC1123 */806807#endif /* READ || WRITE */808809png_const_charp PNGAPI810png_get_copyright(png_const_structrp png_ptr)811{812PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */813#ifdef PNG_STRING_COPYRIGHT814return PNG_STRING_COPYRIGHT815#else816# ifdef __STDC__817return PNG_STRING_NEWLINE \818"libpng version 1.6.34 - September 29, 2017" PNG_STRING_NEWLINE \819"Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson" \820PNG_STRING_NEWLINE \821"Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \822"Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \823PNG_STRING_NEWLINE;824# else825return "libpng version 1.6.34 - September 29, 2017\826Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson\827Copyright (c) 1996-1997 Andreas Dilger\828Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";829# endif830#endif831}832833/* The following return the library version as a short string in the834* format 1.0.0 through 99.99.99zz. To get the version of *.h files835* used with your application, print out PNG_LIBPNG_VER_STRING, which836* is defined in png.h.837* Note: now there is no difference between png_get_libpng_ver() and838* png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,839* it is guaranteed that png.c uses the correct version of png.h.840*/841png_const_charp PNGAPI842png_get_libpng_ver(png_const_structrp png_ptr)843{844/* Version of *.c files used when building libpng */845return png_get_header_ver(png_ptr);846}847848png_const_charp PNGAPI849png_get_header_ver(png_const_structrp png_ptr)850{851/* Version of *.h files used when building libpng */852PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */853return PNG_LIBPNG_VER_STRING;854}855856png_const_charp PNGAPI857png_get_header_version(png_const_structrp png_ptr)858{859/* Returns longer string containing both version and date */860PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */861#ifdef __STDC__862return PNG_HEADER_VERSION_STRING863# ifndef PNG_READ_SUPPORTED864" (NO READ SUPPORT)"865# endif866PNG_STRING_NEWLINE;867#else868return PNG_HEADER_VERSION_STRING;869#endif870}871872#ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED873/* NOTE: this routine is not used internally! */874/* Build a grayscale palette. Palette is assumed to be 1 << bit_depth875* large of png_color. This lets grayscale images be treated as876* paletted. Most useful for gamma correction and simplification877* of code. This API is not used internally.878*/879void PNGAPI880png_build_grayscale_palette(int bit_depth, png_colorp palette)881{882int num_palette;883int color_inc;884int i;885int v;886887png_debug(1, "in png_do_build_grayscale_palette");888889if (palette == NULL)890return;891892switch (bit_depth)893{894case 1:895num_palette = 2;896color_inc = 0xff;897break;898899case 2:900num_palette = 4;901color_inc = 0x55;902break;903904case 4:905num_palette = 16;906color_inc = 0x11;907break;908909case 8:910num_palette = 256;911color_inc = 1;912break;913914default:915num_palette = 0;916color_inc = 0;917break;918}919920for (i = 0, v = 0; i < num_palette; i++, v += color_inc)921{922palette[i].red = (png_byte)(v & 0xff);923palette[i].green = (png_byte)(v & 0xff);924palette[i].blue = (png_byte)(v & 0xff);925}926}927#endif928929#ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED930int PNGAPI931png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)932{933/* Check chunk_name and return "keep" value if it's on the list, else 0 */934png_const_bytep p, p_end;935936if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)937return PNG_HANDLE_CHUNK_AS_DEFAULT;938939p_end = png_ptr->chunk_list;940p = p_end + png_ptr->num_chunk_list*5; /* beyond end */941942/* The code is the fifth byte after each four byte string. Historically this943* code was always searched from the end of the list, this is no longer944* necessary because the 'set' routine handles duplicate entries correcty.945*/946do /* num_chunk_list > 0, so at least one */947{948p -= 5;949950if (memcmp(chunk_name, p, 4) == 0)951return p[4];952}953while (p > p_end);954955/* This means that known chunks should be processed and unknown chunks should956* be handled according to the value of png_ptr->unknown_default; this can be957* confusing because, as a result, there are two levels of defaulting for958* unknown chunks.959*/960return PNG_HANDLE_CHUNK_AS_DEFAULT;961}962963#if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\964defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)965int /* PRIVATE */966png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)967{968png_byte chunk_string[5];969970PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);971return png_handle_as_unknown(png_ptr, chunk_string);972}973#endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */974#endif /* SET_UNKNOWN_CHUNKS */975976#ifdef PNG_READ_SUPPORTED977/* This function, added to libpng-1.0.6g, is untested. */978int PNGAPI979png_reset_zstream(png_structrp png_ptr)980{981if (png_ptr == NULL)982return Z_STREAM_ERROR;983984/* WARNING: this resets the window bits to the maximum! */985return (inflateReset(&png_ptr->zstream));986}987#endif /* READ */988989/* This function was added to libpng-1.0.7 */990png_uint_32 PNGAPI991png_access_version_number(void)992{993/* Version of *.c files used when building libpng */994return((png_uint_32)PNG_LIBPNG_VER);995}996997#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)998/* Ensure that png_ptr->zstream.msg holds some appropriate error message string.999* If it doesn't 'ret' is used to set it to something appropriate, even in cases1000* like Z_OK or Z_STREAM_END where the error code is apparently a success code.1001*/1002void /* PRIVATE */1003png_zstream_error(png_structrp png_ptr, int ret)1004{1005/* Translate 'ret' into an appropriate error string, priority is given to the1006* one in zstream if set. This always returns a string, even in cases like1007* Z_OK or Z_STREAM_END where the error code is a success code.1008*/1009if (png_ptr->zstream.msg == NULL) switch (ret)1010{1011default:1012case Z_OK:1013png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");1014break;10151016case Z_STREAM_END:1017/* Normal exit */1018png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");1019break;10201021case Z_NEED_DICT:1022/* This means the deflate stream did not have a dictionary; this1023* indicates a bogus PNG.1024*/1025png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");1026break;10271028case Z_ERRNO:1029/* gz APIs only: should not happen */1030png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");1031break;10321033case Z_STREAM_ERROR:1034/* internal libpng error */1035png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");1036break;10371038case Z_DATA_ERROR:1039png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");1040break;10411042case Z_MEM_ERROR:1043png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");1044break;10451046case Z_BUF_ERROR:1047/* End of input or output; not a problem if the caller is doing1048* incremental read or write.1049*/1050png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");1051break;10521053case Z_VERSION_ERROR:1054png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");1055break;10561057case PNG_UNEXPECTED_ZLIB_RETURN:1058/* Compile errors here mean that zlib now uses the value co-opted in1059* pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above1060* and change pngpriv.h. Note that this message is "... return",1061* whereas the default/Z_OK one is "... return code".1062*/1063png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");1064break;1065}1066}10671068/* png_convert_size: a PNGAPI but no longer in png.h, so deleted1069* at libpng 1.5.5!1070*/10711072/* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */1073#ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */1074static int1075png_colorspace_check_gamma(png_const_structrp png_ptr,1076png_colorspacerp colorspace, png_fixed_point gAMA, int from)1077/* This is called to check a new gamma value against an existing one. The1078* routine returns false if the new gamma value should not be written.1079*1080* 'from' says where the new gamma value comes from:1081*1082* 0: the new gamma value is the libpng estimate for an ICC profile1083* 1: the new gamma value comes from a gAMA chunk1084* 2: the new gamma value comes from an sRGB chunk1085*/1086{1087png_fixed_point gtest;10881089if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&1090(png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 ||1091png_gamma_significant(gtest) != 0))1092{1093/* Either this is an sRGB image, in which case the calculated gamma1094* approximation should match, or this is an image with a profile and the1095* value libpng calculates for the gamma of the profile does not match the1096* value recorded in the file. The former, sRGB, case is an error, the1097* latter is just a warning.1098*/1099if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)1100{1101png_chunk_report(png_ptr, "gamma value does not match sRGB",1102PNG_CHUNK_ERROR);1103/* Do not overwrite an sRGB value */1104return from == 2;1105}11061107else /* sRGB tag not involved */1108{1109png_chunk_report(png_ptr, "gamma value does not match libpng estimate",1110PNG_CHUNK_WARNING);1111return from == 1;1112}1113}11141115return 1;1116}11171118void /* PRIVATE */1119png_colorspace_set_gamma(png_const_structrp png_ptr,1120png_colorspacerp colorspace, png_fixed_point gAMA)1121{1122/* Changed in libpng-1.5.4 to limit the values to ensure overflow can't1123* occur. Since the fixed point representation is asymetrical it is1124* possible for 1/gamma to overflow the limit of 21474 and this means the1125* gamma value must be at least 5/100000 and hence at most 20000.0. For1126* safety the limits here are a little narrower. The values are 0.00016 to1127* 6250.0, which are truly ridiculous gamma values (and will produce1128* displays that are all black or all white.)1129*1130* In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk1131* handling code, which only required the value to be >0.1132*/1133png_const_charp errmsg;11341135if (gAMA < 16 || gAMA > 625000000)1136errmsg = "gamma value out of range";11371138# ifdef PNG_READ_gAMA_SUPPORTED1139/* Allow the application to set the gamma value more than once */1140else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&1141(colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)1142errmsg = "duplicate";1143# endif11441145/* Do nothing if the colorspace is already invalid */1146else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)1147return;11481149else1150{1151if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,11521/*from gAMA*/) != 0)1153{1154/* Store this gamma value. */1155colorspace->gamma = gAMA;1156colorspace->flags |=1157(PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);1158}11591160/* At present if the check_gamma test fails the gamma of the colorspace is1161* not updated however the colorspace is not invalidated. This1162* corresponds to the case where the existing gamma comes from an sRGB1163* chunk or profile. An error message has already been output.1164*/1165return;1166}11671168/* Error exit - errmsg has been set. */1169colorspace->flags |= PNG_COLORSPACE_INVALID;1170png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);1171}11721173void /* PRIVATE */1174png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)1175{1176if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)1177{1178/* Everything is invalid */1179info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|1180PNG_INFO_iCCP);11811182# ifdef PNG_COLORSPACE_SUPPORTED1183/* Clean up the iCCP profile now if it won't be used. */1184png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);1185# else1186PNG_UNUSED(png_ptr)1187# endif1188}11891190else1191{1192# ifdef PNG_COLORSPACE_SUPPORTED1193/* Leave the INFO_iCCP flag set if the pngset.c code has already set1194* it; this allows a PNG to contain a profile which matches sRGB and1195* yet still have that profile retrievable by the application.1196*/1197if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)1198info_ptr->valid |= PNG_INFO_sRGB;11991200else1201info_ptr->valid &= ~PNG_INFO_sRGB;12021203if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)1204info_ptr->valid |= PNG_INFO_cHRM;12051206else1207info_ptr->valid &= ~PNG_INFO_cHRM;1208# endif12091210if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)1211info_ptr->valid |= PNG_INFO_gAMA;12121213else1214info_ptr->valid &= ~PNG_INFO_gAMA;1215}1216}12171218#ifdef PNG_READ_SUPPORTED1219void /* PRIVATE */1220png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)1221{1222if (info_ptr == NULL) /* reduce code size; check here not in the caller */1223return;12241225info_ptr->colorspace = png_ptr->colorspace;1226png_colorspace_sync_info(png_ptr, info_ptr);1227}1228#endif1229#endif /* GAMMA */12301231#ifdef PNG_COLORSPACE_SUPPORTED1232/* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for1233* cHRM, as opposed to using chromaticities. These internal APIs return1234* non-zero on a parameter error. The X, Y and Z values are required to be1235* positive and less than 1.0.1236*/1237static int1238png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)1239{1240png_int_32 d, dwhite, whiteX, whiteY;12411242d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;1243if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)1244return 1;1245if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)1246return 1;1247dwhite = d;1248whiteX = XYZ->red_X;1249whiteY = XYZ->red_Y;12501251d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;1252if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)1253return 1;1254if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)1255return 1;1256dwhite += d;1257whiteX += XYZ->green_X;1258whiteY += XYZ->green_Y;12591260d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;1261if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)1262return 1;1263if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)1264return 1;1265dwhite += d;1266whiteX += XYZ->blue_X;1267whiteY += XYZ->blue_Y;12681269/* The reference white is simply the sum of the end-point (X,Y,Z) vectors,1270* thus:1271*/1272if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)1273return 1;1274if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)1275return 1;12761277return 0;1278}12791280static int1281png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)1282{1283png_fixed_point red_inverse, green_inverse, blue_scale;1284png_fixed_point left, right, denominator;12851286/* Check xy and, implicitly, z. Note that wide gamut color spaces typically1287* have end points with 0 tristimulus values (these are impossible end1288* points, but they are used to cover the possible colors). We check1289* xy->whitey against 5, not 0, to avoid a possible integer overflow.1290*/1291if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;1292if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;1293if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;1294if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;1295if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;1296if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;1297if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;1298if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;12991300/* The reverse calculation is more difficult because the original tristimulus1301* value had 9 independent values (red,green,blue)x(X,Y,Z) however only 81302* derived values were recorded in the cHRM chunk;1303* (red,green,blue,white)x(x,y). This loses one degree of freedom and1304* therefore an arbitrary ninth value has to be introduced to undo the1305* original transformations.1306*1307* Think of the original end-points as points in (X,Y,Z) space. The1308* chromaticity values (c) have the property:1309*1310* C1311* c = ---------1312* X + Y + Z1313*1314* For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the1315* three chromaticity values (x,y,z) for each end-point obey the1316* relationship:1317*1318* x + y + z = 11319*1320* This describes the plane in (X,Y,Z) space that intersects each axis at the1321* value 1.0; call this the chromaticity plane. Thus the chromaticity1322* calculation has scaled each end-point so that it is on the x+y+z=1 plane1323* and chromaticity is the intersection of the vector from the origin to the1324* (X,Y,Z) value with the chromaticity plane.1325*1326* To fully invert the chromaticity calculation we would need the three1327* end-point scale factors, (red-scale, green-scale, blue-scale), but these1328* were not recorded. Instead we calculated the reference white (X,Y,Z) and1329* recorded the chromaticity of this. The reference white (X,Y,Z) would have1330* given all three of the scale factors since:1331*1332* color-C = color-c * color-scale1333* white-C = red-C + green-C + blue-C1334* = red-c*red-scale + green-c*green-scale + blue-c*blue-scale1335*1336* But cHRM records only white-x and white-y, so we have lost the white scale1337* factor:1338*1339* white-C = white-c*white-scale1340*1341* To handle this the inverse transformation makes an arbitrary assumption1342* about white-scale:1343*1344* Assume: white-Y = 1.01345* Hence: white-scale = 1/white-y1346* Or: red-Y + green-Y + blue-Y = 1.01347*1348* Notice the last statement of the assumption gives an equation in three of1349* the nine values we want to calculate. 8 more equations come from the1350* above routine as summarised at the top above (the chromaticity1351* calculation):1352*1353* Given: color-x = color-X / (color-X + color-Y + color-Z)1354* Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 01355*1356* This is 9 simultaneous equations in the 9 variables "color-C" and can be1357* solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix1358* determinants, however this is not as bad as it seems because only 28 of1359* the total of 90 terms in the various matrices are non-zero. Nevertheless1360* Cramer's rule is notoriously numerically unstable because the determinant1361* calculation involves the difference of large, but similar, numbers. It is1362* difficult to be sure that the calculation is stable for real world values1363* and it is certain that it becomes unstable where the end points are close1364* together.1365*1366* So this code uses the perhaps slightly less optimal but more1367* understandable and totally obvious approach of calculating color-scale.1368*1369* This algorithm depends on the precision in white-scale and that is1370* (1/white-y), so we can immediately see that as white-y approaches 0 the1371* accuracy inherent in the cHRM chunk drops off substantially.1372*1373* libpng arithmetic: a simple inversion of the above equations1374* ------------------------------------------------------------1375*1376* white_scale = 1/white-y1377* white-X = white-x * white-scale1378* white-Y = 1.01379* white-Z = (1 - white-x - white-y) * white_scale1380*1381* white-C = red-C + green-C + blue-C1382* = red-c*red-scale + green-c*green-scale + blue-c*blue-scale1383*1384* This gives us three equations in (red-scale,green-scale,blue-scale) where1385* all the coefficients are now known:1386*1387* red-x*red-scale + green-x*green-scale + blue-x*blue-scale1388* = white-x/white-y1389* red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 11390* red-z*red-scale + green-z*green-scale + blue-z*blue-scale1391* = (1 - white-x - white-y)/white-y1392*1393* In the last equation color-z is (1 - color-x - color-y) so we can add all1394* three equations together to get an alternative third:1395*1396* red-scale + green-scale + blue-scale = 1/white-y = white-scale1397*1398* So now we have a Cramer's rule solution where the determinants are just1399* 3x3 - far more tractible. Unfortunately 3x3 determinants still involve1400* multiplication of three coefficients so we can't guarantee to avoid1401* overflow in the libpng fixed point representation. Using Cramer's rule in1402* floating point is probably a good choice here, but it's not an option for1403* fixed point. Instead proceed to simplify the first two equations by1404* eliminating what is likely to be the largest value, blue-scale:1405*1406* blue-scale = white-scale - red-scale - green-scale1407*1408* Hence:1409*1410* (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =1411* (white-x - blue-x)*white-scale1412*1413* (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =1414* 1 - blue-y*white-scale1415*1416* And now we can trivially solve for (red-scale,green-scale):1417*1418* green-scale =1419* (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale1420* -----------------------------------------------------------1421* green-x - blue-x1422*1423* red-scale =1424* 1 - blue-y*white-scale - (green-y - blue-y) * green-scale1425* ---------------------------------------------------------1426* red-y - blue-y1427*1428* Hence:1429*1430* red-scale =1431* ( (green-x - blue-x) * (white-y - blue-y) -1432* (green-y - blue-y) * (white-x - blue-x) ) / white-y1433* -------------------------------------------------------------------------1434* (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)1435*1436* green-scale =1437* ( (red-y - blue-y) * (white-x - blue-x) -1438* (red-x - blue-x) * (white-y - blue-y) ) / white-y1439* -------------------------------------------------------------------------1440* (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)1441*1442* Accuracy:1443* The input values have 5 decimal digits of accuracy. The values are all in1444* the range 0 < value < 1, so simple products are in the same range but may1445* need up to 10 decimal digits to preserve the original precision and avoid1446* underflow. Because we are using a 32-bit signed representation we cannot1447* match this; the best is a little over 9 decimal digits, less than 10.1448*1449* The approach used here is to preserve the maximum precision within the1450* signed representation. Because the red-scale calculation above uses the1451* difference between two products of values that must be in the range -1..+11452* it is sufficient to divide the product by 7; ceil(100,000/32767*2). The1453* factor is irrelevant in the calculation because it is applied to both1454* numerator and denominator.1455*1456* Note that the values of the differences of the products of the1457* chromaticities in the above equations tend to be small, for example for1458* the sRGB chromaticities they are:1459*1460* red numerator: -0.047511461* green numerator: -0.087881462* denominator: -0.2241 (without white-y multiplication)1463*1464* The resultant Y coefficients from the chromaticities of some widely used1465* color space definitions are (to 15 decimal places):1466*1467* sRGB1468* 0.212639005871510 0.715168678767756 0.0721923153607341469* Kodak ProPhoto1470* 0.288071128229293 0.711843217810102 0.0000856539606051471* Adobe RGB1472* 0.297344975250536 0.627363566255466 0.0752914584939981473* Adobe Wide Gamut RGB1474* 0.258728243040113 0.724682314948566 0.0165894420113211475*/1476/* By the argument, above overflow should be impossible here. The return1477* value of 2 indicates an internal error to the caller.1478*/1479if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)1480return 2;1481if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)1482return 2;1483denominator = left - right;14841485/* Now find the red numerator. */1486if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)1487return 2;1488if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)1489return 2;14901491/* Overflow is possible here and it indicates an extreme set of PNG cHRM1492* chunk values. This calculation actually returns the reciprocal of the1493* scale value because this allows us to delay the multiplication of white-y1494* into the denominator, which tends to produce a small number.1495*/1496if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||1497red_inverse <= xy->whitey /* r+g+b scales = white scale */)1498return 1;14991500/* Similarly for green_inverse: */1501if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)1502return 2;1503if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)1504return 2;1505if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||1506green_inverse <= xy->whitey)1507return 1;15081509/* And the blue scale, the checks above guarantee this can't overflow but it1510* can still produce 0 for extreme cHRM values.1511*/1512blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -1513png_reciprocal(green_inverse);1514if (blue_scale <= 0)1515return 1;151615171518/* And fill in the png_XYZ: */1519if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)1520return 1;1521if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)1522return 1;1523if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,1524red_inverse) == 0)1525return 1;15261527if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)1528return 1;1529if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)1530return 1;1531if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,1532green_inverse) == 0)1533return 1;15341535if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)1536return 1;1537if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)1538return 1;1539if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,1540PNG_FP_1) == 0)1541return 1;15421543return 0; /*success*/1544}15451546static int1547png_XYZ_normalize(png_XYZ *XYZ)1548{1549png_int_32 Y;15501551if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||1552XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||1553XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)1554return 1;15551556/* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.1557* IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore1558* relying on addition of two positive values producing a negative one is not1559* safe.1560*/1561Y = XYZ->red_Y;1562if (0x7fffffff - Y < XYZ->green_X)1563return 1;1564Y += XYZ->green_Y;1565if (0x7fffffff - Y < XYZ->blue_X)1566return 1;1567Y += XYZ->blue_Y;15681569if (Y != PNG_FP_1)1570{1571if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)1572return 1;1573if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)1574return 1;1575if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)1576return 1;15771578if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)1579return 1;1580if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)1581return 1;1582if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)1583return 1;15841585if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)1586return 1;1587if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)1588return 1;1589if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)1590return 1;1591}15921593return 0;1594}15951596static int1597png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)1598{1599/* Allow an error of +/-0.01 (absolute value) on each chromaticity */1600if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||1601PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||1602PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) ||1603PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) ||1604PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||1605PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||1606PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) ||1607PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta))1608return 0;1609return 1;1610}16111612/* Added in libpng-1.6.0, a different check for the validity of a set of cHRM1613* chunk chromaticities. Earlier checks used to simply look for the overflow1614* condition (where the determinant of the matrix to solve for XYZ ends up zero1615* because the chromaticity values are not all distinct.) Despite this it is1616* theoretically possible to produce chromaticities that are apparently valid1617* but that rapidly degrade to invalid, potentially crashing, sets because of1618* arithmetic inaccuracies when calculations are performed on them. The new1619* check is to round-trip xy -> XYZ -> xy and then check that the result is1620* within a small percentage of the original.1621*/1622static int1623png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)1624{1625int result;1626png_xy xy_test;16271628/* As a side-effect this routine also returns the XYZ endpoints. */1629result = png_XYZ_from_xy(XYZ, xy);1630if (result != 0)1631return result;16321633result = png_xy_from_XYZ(&xy_test, XYZ);1634if (result != 0)1635return result;16361637if (png_colorspace_endpoints_match(xy, &xy_test,16385/*actually, the math is pretty accurate*/) != 0)1639return 0;16401641/* Too much slip */1642return 1;1643}16441645/* This is the check going the other way. The XYZ is modified to normalize it1646* (another side-effect) and the xy chromaticities are returned.1647*/1648static int1649png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)1650{1651int result;1652png_XYZ XYZtemp;16531654result = png_XYZ_normalize(XYZ);1655if (result != 0)1656return result;16571658result = png_xy_from_XYZ(xy, XYZ);1659if (result != 0)1660return result;16611662XYZtemp = *XYZ;1663return png_colorspace_check_xy(&XYZtemp, xy);1664}16651666/* Used to check for an endpoint match against sRGB */1667static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */1668{1669/* color x y */1670/* red */ 64000, 33000,1671/* green */ 30000, 60000,1672/* blue */ 15000, 6000,1673/* white */ 31270, 329001674};16751676static int1677png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,1678png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,1679int preferred)1680{1681if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)1682return 0;16831684/* The consistency check is performed on the chromaticities; this factors out1685* variations because of the normalization (or not) of the end point Y1686* values.1687*/1688if (preferred < 2 &&1689(colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)1690{1691/* The end points must be reasonably close to any we already have. The1692* following allows an error of up to +/-.0011693*/1694if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,1695100) == 0)1696{1697colorspace->flags |= PNG_COLORSPACE_INVALID;1698png_benign_error(png_ptr, "inconsistent chromaticities");1699return 0; /* failed */1700}17011702/* Only overwrite with preferred values */1703if (preferred == 0)1704return 1; /* ok, but no change */1705}17061707colorspace->end_points_xy = *xy;1708colorspace->end_points_XYZ = *XYZ;1709colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;17101711/* The end points are normally quoted to two decimal digits, so allow +/-0.011712* on this test.1713*/1714if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)1715colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;17161717else1718colorspace->flags &= PNG_COLORSPACE_CANCEL(1719PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);17201721return 2; /* ok and changed */1722}17231724int /* PRIVATE */1725png_colorspace_set_chromaticities(png_const_structrp png_ptr,1726png_colorspacerp colorspace, const png_xy *xy, int preferred)1727{1728/* We must check the end points to ensure they are reasonable - in the past1729* color management systems have crashed as a result of getting bogus1730* colorant values, while this isn't the fault of libpng it is the1731* responsibility of libpng because PNG carries the bomb and libpng is in a1732* position to protect against it.1733*/1734png_XYZ XYZ;17351736switch (png_colorspace_check_xy(&XYZ, xy))1737{1738case 0: /* success */1739return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,1740preferred);17411742case 1:1743/* We can't invert the chromaticities so we can't produce value XYZ1744* values. Likely as not a color management system will fail too.1745*/1746colorspace->flags |= PNG_COLORSPACE_INVALID;1747png_benign_error(png_ptr, "invalid chromaticities");1748break;17491750default:1751/* libpng is broken; this should be a warning but if it happens we1752* want error reports so for the moment it is an error.1753*/1754colorspace->flags |= PNG_COLORSPACE_INVALID;1755png_error(png_ptr, "internal error checking chromaticities");1756}17571758return 0; /* failed */1759}17601761int /* PRIVATE */1762png_colorspace_set_endpoints(png_const_structrp png_ptr,1763png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)1764{1765png_XYZ XYZ = *XYZ_in;1766png_xy xy;17671768switch (png_colorspace_check_XYZ(&xy, &XYZ))1769{1770case 0:1771return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,1772preferred);17731774case 1:1775/* End points are invalid. */1776colorspace->flags |= PNG_COLORSPACE_INVALID;1777png_benign_error(png_ptr, "invalid end points");1778break;17791780default:1781colorspace->flags |= PNG_COLORSPACE_INVALID;1782png_error(png_ptr, "internal error checking chromaticities");1783}17841785return 0; /* failed */1786}17871788#if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)1789/* Error message generation */1790static char1791png_icc_tag_char(png_uint_32 byte)1792{1793byte &= 0xff;1794if (byte >= 32 && byte <= 126)1795return (char)byte;1796else1797return '?';1798}17991800static void1801png_icc_tag_name(char *name, png_uint_32 tag)1802{1803name[0] = '\'';1804name[1] = png_icc_tag_char(tag >> 24);1805name[2] = png_icc_tag_char(tag >> 16);1806name[3] = png_icc_tag_char(tag >> 8);1807name[4] = png_icc_tag_char(tag );1808name[5] = '\'';1809}18101811static int1812is_ICC_signature_char(png_alloc_size_t it)1813{1814return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||1815(it >= 97 && it <= 122);1816}18171818static int1819is_ICC_signature(png_alloc_size_t it)1820{1821return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&1822is_ICC_signature_char((it >> 16) & 0xff) &&1823is_ICC_signature_char((it >> 8) & 0xff) &&1824is_ICC_signature_char(it & 0xff);1825}18261827static int1828png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,1829png_const_charp name, png_alloc_size_t value, png_const_charp reason)1830{1831size_t pos;1832char message[196]; /* see below for calculation */18331834if (colorspace != NULL)1835colorspace->flags |= PNG_COLORSPACE_INVALID;18361837pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */1838pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */1839pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */1840if (is_ICC_signature(value) != 0)1841{1842/* So 'value' is at most 4 bytes and the following cast is safe */1843png_icc_tag_name(message+pos, (png_uint_32)value);1844pos += 6; /* total +8; less than the else clause */1845message[pos++] = ':';1846message[pos++] = ' ';1847}1848# ifdef PNG_WARNINGS_SUPPORTED1849else1850{1851char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/18521853pos = png_safecat(message, (sizeof message), pos,1854png_format_number(number, number+(sizeof number),1855PNG_NUMBER_FORMAT_x, value));1856pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/1857}1858# endif1859/* The 'reason' is an arbitrary message, allow +79 maximum 195 */1860pos = png_safecat(message, (sizeof message), pos, reason);1861PNG_UNUSED(pos)18621863/* This is recoverable, but make it unconditionally an app_error on write to1864* avoid writing invalid ICC profiles into PNG files (i.e., we handle them1865* on read, with a warning, but on write unless the app turns off1866* application errors the PNG won't be written.)1867*/1868png_chunk_report(png_ptr, message,1869(colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);18701871return 0;1872}1873#endif /* sRGB || iCCP */18741875#ifdef PNG_sRGB_SUPPORTED1876int /* PRIVATE */1877png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,1878int intent)1879{1880/* sRGB sets known gamma, end points and (from the chunk) intent. */1881/* IMPORTANT: these are not necessarily the values found in an ICC profile1882* because ICC profiles store values adapted to a D50 environment; it is1883* expected that the ICC profile mediaWhitePointTag will be D50; see the1884* checks and code elsewhere to understand this better.1885*1886* These XYZ values, which are accurate to 5dp, produce rgb to gray1887* coefficients of (6968,23435,2366), which are reduced (because they add up1888* to 32769 not 32768) to (6968,23434,2366). These are the values that1889* libpng has traditionally used (and are the best values given the 15bit1890* algorithm used by the rgb to gray code.)1891*/1892static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */1893{1894/* color X Y Z */1895/* red */ 41239, 21264, 1933,1896/* green */ 35758, 71517, 11919,1897/* blue */ 18048, 7219, 950531898};18991900/* Do nothing if the colorspace is already invalidated. */1901if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)1902return 0;19031904/* Check the intent, then check for existing settings. It is valid for the1905* PNG file to have cHRM or gAMA chunks along with sRGB, but the values must1906* be consistent with the correct values. If, however, this function is1907* called below because an iCCP chunk matches sRGB then it is quite1908* conceivable that an older app recorded incorrect gAMA and cHRM because of1909* an incorrect calculation based on the values in the profile - this does1910* *not* invalidate the profile (though it still produces an error, which can1911* be ignored.)1912*/1913if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)1914return png_icc_profile_error(png_ptr, colorspace, "sRGB",1915(png_alloc_size_t)intent, "invalid sRGB rendering intent");19161917if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&1918colorspace->rendering_intent != intent)1919return png_icc_profile_error(png_ptr, colorspace, "sRGB",1920(png_alloc_size_t)intent, "inconsistent rendering intents");19211922if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)1923{1924png_benign_error(png_ptr, "duplicate sRGB information ignored");1925return 0;1926}19271928/* If the standard sRGB cHRM chunk does not match the one from the PNG file1929* warn but overwrite the value with the correct one.1930*/1931if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&1932!png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,1933100))1934png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",1935PNG_CHUNK_ERROR);19361937/* This check is just done for the error reporting - the routine always1938* returns true when the 'from' argument corresponds to sRGB (2).1939*/1940(void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,19412/*from sRGB*/);19421943/* intent: bugs in GCC force 'int' to be used as the parameter type. */1944colorspace->rendering_intent = (png_uint_16)intent;1945colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;19461947/* endpoints */1948colorspace->end_points_xy = sRGB_xy;1949colorspace->end_points_XYZ = sRGB_XYZ;1950colorspace->flags |=1951(PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);19521953/* gamma */1954colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;1955colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;19561957/* Finally record that we have an sRGB profile */1958colorspace->flags |=1959(PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);19601961return 1; /* set */1962}1963#endif /* sRGB */19641965#ifdef PNG_iCCP_SUPPORTED1966/* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value1967* is XYZ(0.9642,1.0,0.8249), which scales to:1968*1969* (63189.8112, 65536, 54060.6464)1970*/1971static const png_byte D50_nCIEXYZ[12] =1972{ 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };19731974static int /* bool */1975icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,1976png_const_charp name, png_uint_32 profile_length)1977{1978if (profile_length < 132)1979return png_icc_profile_error(png_ptr, colorspace, name, profile_length,1980"too short");1981return 1;1982}19831984#ifdef PNG_READ_iCCP_SUPPORTED1985int /* PRIVATE */1986png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,1987png_const_charp name, png_uint_32 profile_length)1988{1989if (!icc_check_length(png_ptr, colorspace, name, profile_length))1990return 0;19911992/* This needs to be here because the 'normal' check is in1993* png_decompress_chunk, yet this happens after the attempt to1994* png_malloc_base the required data. We only need this on read; on write1995* the caller supplies the profile buffer so libpng doesn't allocate it. See1996* the call to icc_check_length below (the write case).1997*/1998# ifdef PNG_SET_USER_LIMITS_SUPPORTED1999else if (png_ptr->user_chunk_malloc_max > 0 &&2000png_ptr->user_chunk_malloc_max < profile_length)2001return png_icc_profile_error(png_ptr, colorspace, name, profile_length,2002"exceeds application limits");2003# elif PNG_USER_CHUNK_MALLOC_MAX > 02004else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)2005return png_icc_profile_error(png_ptr, colorspace, name, profile_length,2006"exceeds libpng limits");2007# else /* !SET_USER_LIMITS */2008/* This will get compiled out on all 32-bit and better systems. */2009else if (PNG_SIZE_MAX < profile_length)2010return png_icc_profile_error(png_ptr, colorspace, name, profile_length,2011"exceeds system limits");2012# endif /* !SET_USER_LIMITS */20132014return 1;2015}2016#endif /* READ_iCCP */20172018int /* PRIVATE */2019png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,2020png_const_charp name, png_uint_32 profile_length,2021png_const_bytep profile/* first 132 bytes only */, int color_type)2022{2023png_uint_32 temp;20242025/* Length check; this cannot be ignored in this code because profile_length2026* is used later to check the tag table, so even if the profile seems over2027* long profile_length from the caller must be correct. The caller can fix2028* this up on read or write by just passing in the profile header length.2029*/2030temp = png_get_uint_32(profile);2031if (temp != profile_length)2032return png_icc_profile_error(png_ptr, colorspace, name, temp,2033"length does not match profile");20342035temp = (png_uint_32) (*(profile+8));2036if (temp > 3 && (profile_length & 3))2037return png_icc_profile_error(png_ptr, colorspace, name, profile_length,2038"invalid length");20392040temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */2041if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */2042profile_length < 132+12*temp) /* truncated tag table */2043return png_icc_profile_error(png_ptr, colorspace, name, temp,2044"tag count too large");20452046/* The 'intent' must be valid or we can't store it, ICC limits the intent to2047* 16 bits.2048*/2049temp = png_get_uint_32(profile+64);2050if (temp >= 0xffff) /* The ICC limit */2051return png_icc_profile_error(png_ptr, colorspace, name, temp,2052"invalid rendering intent");20532054/* This is just a warning because the profile may be valid in future2055* versions.2056*/2057if (temp >= PNG_sRGB_INTENT_LAST)2058(void)png_icc_profile_error(png_ptr, NULL, name, temp,2059"intent outside defined range");20602061/* At this point the tag table can't be checked because it hasn't necessarily2062* been loaded; however, various header fields can be checked. These checks2063* are for values permitted by the PNG spec in an ICC profile; the PNG spec2064* restricts the profiles that can be passed in an iCCP chunk (they must be2065* appropriate to processing PNG data!)2066*/20672068/* Data checks (could be skipped). These checks must be independent of the2069* version number; however, the version number doesn't accomodate changes in2070* the header fields (just the known tags and the interpretation of the2071* data.)2072*/2073temp = png_get_uint_32(profile+36); /* signature 'ascp' */2074if (temp != 0x61637370)2075return png_icc_profile_error(png_ptr, colorspace, name, temp,2076"invalid signature");20772078/* Currently the PCS illuminant/adopted white point (the computational2079* white point) are required to be D50,2080* however the profile contains a record of the illuminant so perhaps ICC2081* expects to be able to change this in the future (despite the rationale in2082* the introduction for using a fixed PCS adopted white.) Consequently the2083* following is just a warning.2084*/2085if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)2086(void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,2087"PCS illuminant is not D50");20882089/* The PNG spec requires this:2090* "If the iCCP chunk is present, the image samples conform to the colour2091* space represented by the embedded ICC profile as defined by the2092* International Color Consortium [ICC]. The colour space of the ICC profile2093* shall be an RGB colour space for colour images (PNG colour types 2, 3, and2094* 6), or a greyscale colour space for greyscale images (PNG colour types 02095* and 4)."2096*2097* This checking code ensures the embedded profile (on either read or write)2098* conforms to the specification requirements. Notice that an ICC 'gray'2099* color-space profile contains the information to transform the monochrome2100* data to XYZ or L*a*b (according to which PCS the profile uses) and this2101* should be used in preference to the standard libpng K channel replication2102* into R, G and B channels.2103*2104* Previously it was suggested that an RGB profile on grayscale data could be2105* handled. However it it is clear that using an RGB profile in this context2106* must be an error - there is no specification of what it means. Thus it is2107* almost certainly more correct to ignore the profile.2108*/2109temp = png_get_uint_32(profile+16); /* data colour space field */2110switch (temp)2111{2112case 0x52474220: /* 'RGB ' */2113if ((color_type & PNG_COLOR_MASK_COLOR) == 0)2114return png_icc_profile_error(png_ptr, colorspace, name, temp,2115"RGB color space not permitted on grayscale PNG");2116break;21172118case 0x47524159: /* 'GRAY' */2119if ((color_type & PNG_COLOR_MASK_COLOR) != 0)2120return png_icc_profile_error(png_ptr, colorspace, name, temp,2121"Gray color space not permitted on RGB PNG");2122break;21232124default:2125return png_icc_profile_error(png_ptr, colorspace, name, temp,2126"invalid ICC profile color space");2127}21282129/* It is up to the application to check that the profile class matches the2130* application requirements; the spec provides no guidance, but it's pretty2131* weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer2132* ('prtr') or 'spac' (for generic color spaces). Issue a warning in these2133* cases. Issue an error for device link or abstract profiles - these don't2134* contain the records necessary to transform the color-space to anything2135* other than the target device (and not even that for an abstract profile).2136* Profiles of these classes may not be embedded in images.2137*/2138temp = png_get_uint_32(profile+12); /* profile/device class */2139switch (temp)2140{2141case 0x73636e72: /* 'scnr' */2142case 0x6d6e7472: /* 'mntr' */2143case 0x70727472: /* 'prtr' */2144case 0x73706163: /* 'spac' */2145/* All supported */2146break;21472148case 0x61627374: /* 'abst' */2149/* May not be embedded in an image */2150return png_icc_profile_error(png_ptr, colorspace, name, temp,2151"invalid embedded Abstract ICC profile");21522153case 0x6c696e6b: /* 'link' */2154/* DeviceLink profiles cannot be interpreted in a non-device specific2155* fashion, if an app uses the AToB0Tag in the profile the results are2156* undefined unless the result is sent to the intended device,2157* therefore a DeviceLink profile should not be found embedded in a2158* PNG.2159*/2160return png_icc_profile_error(png_ptr, colorspace, name, temp,2161"unexpected DeviceLink ICC profile class");21622163case 0x6e6d636c: /* 'nmcl' */2164/* A NamedColor profile is also device specific, however it doesn't2165* contain an AToB0 tag that is open to misinterpretation. Almost2166* certainly it will fail the tests below.2167*/2168(void)png_icc_profile_error(png_ptr, NULL, name, temp,2169"unexpected NamedColor ICC profile class");2170break;21712172default:2173/* To allow for future enhancements to the profile accept unrecognized2174* profile classes with a warning, these then hit the test below on the2175* tag content to ensure they are backward compatible with one of the2176* understood profiles.2177*/2178(void)png_icc_profile_error(png_ptr, NULL, name, temp,2179"unrecognized ICC profile class");2180break;2181}21822183/* For any profile other than a device link one the PCS must be encoded2184* either in XYZ or Lab.2185*/2186temp = png_get_uint_32(profile+20);2187switch (temp)2188{2189case 0x58595a20: /* 'XYZ ' */2190case 0x4c616220: /* 'Lab ' */2191break;21922193default:2194return png_icc_profile_error(png_ptr, colorspace, name, temp,2195"unexpected ICC PCS encoding");2196}21972198return 1;2199}22002201int /* PRIVATE */2202png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,2203png_const_charp name, png_uint_32 profile_length,2204png_const_bytep profile /* header plus whole tag table */)2205{2206png_uint_32 tag_count = png_get_uint_32(profile+128);2207png_uint_32 itag;2208png_const_bytep tag = profile+132; /* The first tag */22092210/* First scan all the tags in the table and add bits to the icc_info value2211* (temporarily in 'tags').2212*/2213for (itag=0; itag < tag_count; ++itag, tag += 12)2214{2215png_uint_32 tag_id = png_get_uint_32(tag+0);2216png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */2217png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */22182219/* The ICC specification does not exclude zero length tags, therefore the2220* start might actually be anywhere if there is no data, but this would be2221* a clear abuse of the intent of the standard so the start is checked for2222* being in range. All defined tag types have an 8 byte header - a 4 byte2223* type signature then 0.2224*/22252226/* This is a hard error; potentially it can cause read outside the2227* profile.2228*/2229if (tag_start > profile_length || tag_length > profile_length - tag_start)2230return png_icc_profile_error(png_ptr, colorspace, name, tag_id,2231"ICC profile tag outside profile");22322233if ((tag_start & 3) != 0)2234{2235/* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is2236* only a warning here because libpng does not care about the2237* alignment.2238*/2239(void)png_icc_profile_error(png_ptr, NULL, name, tag_id,2240"ICC profile tag start not a multiple of 4");2241}2242}22432244return 1; /* success, maybe with warnings */2245}22462247#ifdef PNG_sRGB_SUPPORTED2248#if PNG_sRGB_PROFILE_CHECKS >= 02249/* Information about the known ICC sRGB profiles */2250static const struct2251{2252png_uint_32 adler, crc, length;2253png_uint_32 md5[4];2254png_byte have_md5;2255png_byte is_broken;2256png_uint_16 intent;22572258# define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)2259# define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\2260{ adler, crc, length, md5, broke, intent },22612262} png_sRGB_checks[] =2263{2264/* This data comes from contrib/tools/checksum-icc run on downloads of2265* all four ICC sRGB profiles from www.color.org.2266*/2267/* adler32, crc32, MD5[4], intent, date, length, file-name */2268PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,2269PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,2270"2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")22712272/* ICC sRGB v2 perceptual no black-compensation: */2273PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,2274PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,2275"2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")22762277PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,2278PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,2279"2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")22802281/* ICC sRGB v4 perceptual */2282PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,2283PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,2284"2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")22852286/* The following profiles have no known MD5 checksum. If there is a match2287* on the (empty) MD5 the other fields are used to attempt a match and2288* a warning is produced. The first two of these profiles have a 'cprt' tag2289* which suggests that they were also made by Hewlett Packard.2290*/2291PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,2292PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,2293"2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")22942295/* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not2296* match the D50 PCS illuminant in the header (it is in fact the D65 values,2297* so the white point is recorded as the un-adapted value.) The profiles2298* below only differ in one byte - the intent - and are basically the same as2299* the previous profile except for the mediaWhitePointTag error and a missing2300* chromaticAdaptationTag.2301*/2302PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,2303PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,2304"1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")23052306PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,2307PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,2308"1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")2309};23102311static int2312png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,2313png_const_bytep profile, uLong adler)2314{2315/* The quick check is to verify just the MD5 signature and trust the2316* rest of the data. Because the profile has already been verified for2317* correctness this is safe. png_colorspace_set_sRGB will check the 'intent'2318* field too, so if the profile has been edited with an intent not defined2319* by sRGB (but maybe defined by a later ICC specification) the read of2320* the profile will fail at that point.2321*/23222323png_uint_32 length = 0;2324png_uint_32 intent = 0x10000; /* invalid */2325#if PNG_sRGB_PROFILE_CHECKS > 12326uLong crc = 0; /* the value for 0 length data */2327#endif2328unsigned int i;23292330#ifdef PNG_SET_OPTION_SUPPORTED2331/* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */2332if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==2333PNG_OPTION_ON)2334return 0;2335#endif23362337for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)2338{2339if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&2340png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&2341png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&2342png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])2343{2344/* This may be one of the old HP profiles without an MD5, in that2345* case we can only use the length and Adler32 (note that these2346* are not used by default if there is an MD5!)2347*/2348# if PNG_sRGB_PROFILE_CHECKS == 02349if (png_sRGB_checks[i].have_md5 != 0)2350return 1+png_sRGB_checks[i].is_broken;2351# endif23522353/* Profile is unsigned or more checks have been configured in. */2354if (length == 0)2355{2356length = png_get_uint_32(profile);2357intent = png_get_uint_32(profile+64);2358}23592360/* Length *and* intent must match */2361if (length == (png_uint_32) png_sRGB_checks[i].length &&2362intent == (png_uint_32) png_sRGB_checks[i].intent)2363{2364/* Now calculate the adler32 if not done already. */2365if (adler == 0)2366{2367adler = adler32(0, NULL, 0);2368adler = adler32(adler, profile, length);2369}23702371if (adler == png_sRGB_checks[i].adler)2372{2373/* These basic checks suggest that the data has not been2374* modified, but if the check level is more than 1 perform2375* our own crc32 checksum on the data.2376*/2377# if PNG_sRGB_PROFILE_CHECKS > 12378if (crc == 0)2379{2380crc = crc32(0, NULL, 0);2381crc = crc32(crc, profile, length);2382}23832384/* So this check must pass for the 'return' below to happen.2385*/2386if (crc == png_sRGB_checks[i].crc)2387# endif2388{2389if (png_sRGB_checks[i].is_broken != 0)2390{2391/* These profiles are known to have bad data that may cause2392* problems if they are used, therefore attempt to2393* discourage their use, skip the 'have_md5' warning below,2394* which is made irrelevant by this error.2395*/2396png_chunk_report(png_ptr, "known incorrect sRGB profile",2397PNG_CHUNK_ERROR);2398}23992400/* Warn that this being done; this isn't even an error since2401* the profile is perfectly valid, but it would be nice if2402* people used the up-to-date ones.2403*/2404else if (png_sRGB_checks[i].have_md5 == 0)2405{2406png_chunk_report(png_ptr,2407"out-of-date sRGB profile with no signature",2408PNG_CHUNK_WARNING);2409}24102411return 1+png_sRGB_checks[i].is_broken;2412}2413}24142415# if PNG_sRGB_PROFILE_CHECKS > 02416/* The signature matched, but the profile had been changed in some2417* way. This probably indicates a data error or uninformed hacking.2418* Fall through to "no match".2419*/2420png_chunk_report(png_ptr,2421"Not recognizing known sRGB profile that has been edited",2422PNG_CHUNK_WARNING);2423break;2424# endif2425}2426}2427}24282429return 0; /* no match */2430}24312432void /* PRIVATE */2433png_icc_set_sRGB(png_const_structrp png_ptr,2434png_colorspacerp colorspace, png_const_bytep profile, uLong adler)2435{2436/* Is this profile one of the known ICC sRGB profiles? If it is, just set2437* the sRGB information.2438*/2439if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)2440(void)png_colorspace_set_sRGB(png_ptr, colorspace,2441(int)/*already checked*/png_get_uint_32(profile+64));2442}2443#endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */2444#endif /* sRGB */24452446int /* PRIVATE */2447png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,2448png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,2449int color_type)2450{2451if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)2452return 0;24532454if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&2455png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,2456color_type) != 0 &&2457png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,2458profile) != 0)2459{2460# if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 02461/* If no sRGB support, don't try storing sRGB information */2462png_icc_set_sRGB(png_ptr, colorspace, profile, 0);2463# endif2464return 1;2465}24662467/* Failure case */2468return 0;2469}2470#endif /* iCCP */24712472#ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED2473void /* PRIVATE */2474png_colorspace_set_rgb_coefficients(png_structrp png_ptr)2475{2476/* Set the rgb_to_gray coefficients from the colorspace. */2477if (png_ptr->rgb_to_gray_coefficients_set == 0 &&2478(png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)2479{2480/* png_set_background has not been called, get the coefficients from the Y2481* values of the colorspace colorants.2482*/2483png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;2484png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;2485png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;2486png_fixed_point total = r+g+b;24872488if (total > 0 &&2489r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&2490g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&2491b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&2492r+g+b <= 32769)2493{2494/* We allow 0 coefficients here. r+g+b may be 32769 if two or2495* all of the coefficients were rounded up. Handle this by2496* reducing the *largest* coefficient by 1; this matches the2497* approach used for the default coefficients in pngrtran.c2498*/2499int add = 0;25002501if (r+g+b > 32768)2502add = -1;2503else if (r+g+b < 32768)2504add = 1;25052506if (add != 0)2507{2508if (g >= r && g >= b)2509g += add;2510else if (r >= g && r >= b)2511r += add;2512else2513b += add;2514}25152516/* Check for an internal error. */2517if (r+g+b != 32768)2518png_error(png_ptr,2519"internal error handling cHRM coefficients");25202521else2522{2523png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;2524png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;2525}2526}25272528/* This is a png_error at present even though it could be ignored -2529* it should never happen, but it is important that if it does, the2530* bug is fixed.2531*/2532else2533png_error(png_ptr, "internal error handling cHRM->XYZ");2534}2535}2536#endif /* READ_RGB_TO_GRAY */25372538#endif /* COLORSPACE */25392540#ifdef __GNUC__2541/* This exists solely to work round a warning from GNU C. */2542static int /* PRIVATE */2543png_gt(size_t a, size_t b)2544{2545return a > b;2546}2547#else2548# define png_gt(a,b) ((a) > (b))2549#endif25502551void /* PRIVATE */2552png_check_IHDR(png_const_structrp png_ptr,2553png_uint_32 width, png_uint_32 height, int bit_depth,2554int color_type, int interlace_type, int compression_type,2555int filter_type)2556{2557int error = 0;25582559/* Check for width and height valid values */2560if (width == 0)2561{2562png_warning(png_ptr, "Image width is zero in IHDR");2563error = 1;2564}25652566if (width > PNG_UINT_31_MAX)2567{2568png_warning(png_ptr, "Invalid image width in IHDR");2569error = 1;2570}25712572if (png_gt(((width + 7) & (~7U)),2573((PNG_SIZE_MAX2574- 48 /* big_row_buf hack */2575- 1) /* filter byte */2576/ 8) /* 8-byte RGBA pixels */2577- 1)) /* extra max_pixel_depth pad */2578{2579/* The size of the row must be within the limits of this architecture.2580* Because the read code can perform arbitrary transformations the2581* maximum size is checked here. Because the code in png_read_start_row2582* adds extra space "for safety's sake" in several places a conservative2583* limit is used here.2584*2585* NOTE: it would be far better to check the size that is actually used,2586* but the effect in the real world is minor and the changes are more2587* extensive, therefore much more dangerous and much more difficult to2588* write in a way that avoids compiler warnings.2589*/2590png_warning(png_ptr, "Image width is too large for this architecture");2591error = 1;2592}25932594#ifdef PNG_SET_USER_LIMITS_SUPPORTED2595if (width > png_ptr->user_width_max)2596#else2597if (width > PNG_USER_WIDTH_MAX)2598#endif2599{2600png_warning(png_ptr, "Image width exceeds user limit in IHDR");2601error = 1;2602}26032604if (height == 0)2605{2606png_warning(png_ptr, "Image height is zero in IHDR");2607error = 1;2608}26092610if (height > PNG_UINT_31_MAX)2611{2612png_warning(png_ptr, "Invalid image height in IHDR");2613error = 1;2614}26152616#ifdef PNG_SET_USER_LIMITS_SUPPORTED2617if (height > png_ptr->user_height_max)2618#else2619if (height > PNG_USER_HEIGHT_MAX)2620#endif2621{2622png_warning(png_ptr, "Image height exceeds user limit in IHDR");2623error = 1;2624}26252626/* Check other values */2627if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&2628bit_depth != 8 && bit_depth != 16)2629{2630png_warning(png_ptr, "Invalid bit depth in IHDR");2631error = 1;2632}26332634if (color_type < 0 || color_type == 1 ||2635color_type == 5 || color_type > 6)2636{2637png_warning(png_ptr, "Invalid color type in IHDR");2638error = 1;2639}26402641if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||2642((color_type == PNG_COLOR_TYPE_RGB ||2643color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||2644color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))2645{2646png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");2647error = 1;2648}26492650if (interlace_type >= PNG_INTERLACE_LAST)2651{2652png_warning(png_ptr, "Unknown interlace method in IHDR");2653error = 1;2654}26552656if (compression_type != PNG_COMPRESSION_TYPE_BASE)2657{2658png_warning(png_ptr, "Unknown compression method in IHDR");2659error = 1;2660}26612662#ifdef PNG_MNG_FEATURES_SUPPORTED2663/* Accept filter_method 64 (intrapixel differencing) only if2664* 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and2665* 2. Libpng did not read a PNG signature (this filter_method is only2666* used in PNG datastreams that are embedded in MNG datastreams) and2667* 3. The application called png_permit_mng_features with a mask that2668* included PNG_FLAG_MNG_FILTER_64 and2669* 4. The filter_method is 64 and2670* 5. The color_type is RGB or RGBA2671*/2672if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&2673png_ptr->mng_features_permitted != 0)2674png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");26752676if (filter_type != PNG_FILTER_TYPE_BASE)2677{2678if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&2679(filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&2680((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&2681(color_type == PNG_COLOR_TYPE_RGB ||2682color_type == PNG_COLOR_TYPE_RGB_ALPHA)))2683{2684png_warning(png_ptr, "Unknown filter method in IHDR");2685error = 1;2686}26872688if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)2689{2690png_warning(png_ptr, "Invalid filter method in IHDR");2691error = 1;2692}2693}26942695#else2696if (filter_type != PNG_FILTER_TYPE_BASE)2697{2698png_warning(png_ptr, "Unknown filter method in IHDR");2699error = 1;2700}2701#endif27022703if (error == 1)2704png_error(png_ptr, "Invalid IHDR data");2705}27062707#if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)2708/* ASCII to fp functions */2709/* Check an ASCII formated floating point value, see the more detailed2710* comments in pngpriv.h2711*/2712/* The following is used internally to preserve the sticky flags */2713#define png_fp_add(state, flags) ((state) |= (flags))2714#define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))27152716int /* PRIVATE */2717png_check_fp_number(png_const_charp string, png_size_t size, int *statep,2718png_size_tp whereami)2719{2720int state = *statep;2721png_size_t i = *whereami;27222723while (i < size)2724{2725int type;2726/* First find the type of the next character */2727switch (string[i])2728{2729case 43: type = PNG_FP_SAW_SIGN; break;2730case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;2731case 46: type = PNG_FP_SAW_DOT; break;2732case 48: type = PNG_FP_SAW_DIGIT; break;2733case 49: case 50: case 51: case 52:2734case 53: case 54: case 55: case 56:2735case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;2736case 69:2737case 101: type = PNG_FP_SAW_E; break;2738default: goto PNG_FP_End;2739}27402741/* Now deal with this type according to the current2742* state, the type is arranged to not overlap the2743* bits of the PNG_FP_STATE.2744*/2745switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))2746{2747case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:2748if ((state & PNG_FP_SAW_ANY) != 0)2749goto PNG_FP_End; /* not a part of the number */27502751png_fp_add(state, type);2752break;27532754case PNG_FP_INTEGER + PNG_FP_SAW_DOT:2755/* Ok as trailer, ok as lead of fraction. */2756if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */2757goto PNG_FP_End;27582759else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */2760png_fp_add(state, type);27612762else2763png_fp_set(state, PNG_FP_FRACTION | type);27642765break;27662767case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:2768if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */2769png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);27702771png_fp_add(state, type | PNG_FP_WAS_VALID);27722773break;27742775case PNG_FP_INTEGER + PNG_FP_SAW_E:2776if ((state & PNG_FP_SAW_DIGIT) == 0)2777goto PNG_FP_End;27782779png_fp_set(state, PNG_FP_EXPONENT);27802781break;27822783/* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:2784goto PNG_FP_End; ** no sign in fraction */27852786/* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:2787goto PNG_FP_End; ** Because SAW_DOT is always set */27882789case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:2790png_fp_add(state, type | PNG_FP_WAS_VALID);2791break;27922793case PNG_FP_FRACTION + PNG_FP_SAW_E:2794/* This is correct because the trailing '.' on an2795* integer is handled above - so we can only get here2796* with the sequence ".E" (with no preceding digits).2797*/2798if ((state & PNG_FP_SAW_DIGIT) == 0)2799goto PNG_FP_End;28002801png_fp_set(state, PNG_FP_EXPONENT);28022803break;28042805case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:2806if ((state & PNG_FP_SAW_ANY) != 0)2807goto PNG_FP_End; /* not a part of the number */28082809png_fp_add(state, PNG_FP_SAW_SIGN);28102811break;28122813/* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:2814goto PNG_FP_End; */28152816case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:2817png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);28182819break;28202821/* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:2822goto PNG_FP_End; */28232824default: goto PNG_FP_End; /* I.e. break 2 */2825}28262827/* The character seems ok, continue. */2828++i;2829}28302831PNG_FP_End:2832/* Here at the end, update the state and return the correct2833* return code.2834*/2835*statep = state;2836*whereami = i;28372838return (state & PNG_FP_SAW_DIGIT) != 0;2839}284028412842/* The same but for a complete string. */2843int2844png_check_fp_string(png_const_charp string, png_size_t size)2845{2846int state=0;2847png_size_t char_index=0;28482849if (png_check_fp_number(string, size, &state, &char_index) != 0 &&2850(char_index == size || string[char_index] == 0))2851return state /* must be non-zero - see above */;28522853return 0; /* i.e. fail */2854}2855#endif /* pCAL || sCAL */28562857#ifdef PNG_sCAL_SUPPORTED2858# ifdef PNG_FLOATING_POINT_SUPPORTED2859/* Utility used below - a simple accurate power of ten from an integral2860* exponent.2861*/2862static double2863png_pow10(int power)2864{2865int recip = 0;2866double d = 1;28672868/* Handle negative exponent with a reciprocal at the end because2869* 10 is exact whereas .1 is inexact in base 22870*/2871if (power < 0)2872{2873if (power < DBL_MIN_10_EXP) return 0;2874recip = 1; power = -power;2875}28762877if (power > 0)2878{2879/* Decompose power bitwise. */2880double mult = 10;2881do2882{2883if (power & 1) d *= mult;2884mult *= mult;2885power >>= 1;2886}2887while (power > 0);28882889if (recip != 0) d = 1/d;2890}2891/* else power is 0 and d is 1 */28922893return d;2894}28952896/* Function to format a floating point value in ASCII with a given2897* precision.2898*/2899#if GCC_STRICT_OVERFLOW2900#pragma GCC diagnostic push2901/* The problem arises below with exp_b10, which can never overflow because it2902* comes, originally, from frexp and is therefore limited to a range which is2903* typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)).2904*/2905#pragma GCC diagnostic warning "-Wstrict-overflow=2"2906#endif /* GCC_STRICT_OVERFLOW */2907void /* PRIVATE */2908png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size,2909double fp, unsigned int precision)2910{2911/* We use standard functions from math.h, but not printf because2912* that would require stdio. The caller must supply a buffer of2913* sufficient size or we will png_error. The tests on size and2914* the space in ascii[] consumed are indicated below.2915*/2916if (precision < 1)2917precision = DBL_DIG;29182919/* Enforce the limit of the implementation precision too. */2920if (precision > DBL_DIG+1)2921precision = DBL_DIG+1;29222923/* Basic sanity checks */2924if (size >= precision+5) /* See the requirements below. */2925{2926if (fp < 0)2927{2928fp = -fp;2929*ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */2930--size;2931}29322933if (fp >= DBL_MIN && fp <= DBL_MAX)2934{2935int exp_b10; /* A base 10 exponent */2936double base; /* 10^exp_b10 */29372938/* First extract a base 10 exponent of the number,2939* the calculation below rounds down when converting2940* from base 2 to base 10 (multiply by log10(2) -2941* 0.3010, but 77/256 is 0.3008, so exp_b10 needs to2942* be increased. Note that the arithmetic shift2943* performs a floor() unlike C arithmetic - using a2944* C multiply would break the following for negative2945* exponents.2946*/2947(void)frexp(fp, &exp_b10); /* exponent to base 2 */29482949exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */29502951/* Avoid underflow here. */2952base = png_pow10(exp_b10); /* May underflow */29532954while (base < DBL_MIN || base < fp)2955{2956/* And this may overflow. */2957double test = png_pow10(exp_b10+1);29582959if (test <= DBL_MAX)2960{2961++exp_b10; base = test;2962}29632964else2965break;2966}29672968/* Normalize fp and correct exp_b10, after this fp is in the2969* range [.1,1) and exp_b10 is both the exponent and the digit2970* *before* which the decimal point should be inserted2971* (starting with 0 for the first digit). Note that this2972* works even if 10^exp_b10 is out of range because of the2973* test on DBL_MAX above.2974*/2975fp /= base;2976while (fp >= 1)2977{2978fp /= 10; ++exp_b10;2979}29802981/* Because of the code above fp may, at this point, be2982* less than .1, this is ok because the code below can2983* handle the leading zeros this generates, so no attempt2984* is made to correct that here.2985*/29862987{2988unsigned int czero, clead, cdigits;2989char exponent[10];29902991/* Allow up to two leading zeros - this will not lengthen2992* the number compared to using E-n.2993*/2994if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */2995{2996czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */2997exp_b10 = 0; /* Dot added below before first output. */2998}2999else3000czero = 0; /* No zeros to add */30013002/* Generate the digit list, stripping trailing zeros and3003* inserting a '.' before a digit if the exponent is 0.3004*/3005clead = czero; /* Count of leading zeros */3006cdigits = 0; /* Count of digits in list. */30073008do3009{3010double d;30113012fp *= 10;3013/* Use modf here, not floor and subtract, so that3014* the separation is done in one step. At the end3015* of the loop don't break the number into parts so3016* that the final digit is rounded.3017*/3018if (cdigits+czero+1 < precision+clead)3019fp = modf(fp, &d);30203021else3022{3023d = floor(fp + .5);30243025if (d > 9)3026{3027/* Rounding up to 10, handle that here. */3028if (czero > 0)3029{3030--czero; d = 1;3031if (cdigits == 0) --clead;3032}3033else3034{3035while (cdigits > 0 && d > 9)3036{3037int ch = *--ascii;30383039if (exp_b10 != (-1))3040++exp_b10;30413042else if (ch == 46)3043{3044ch = *--ascii; ++size;3045/* Advance exp_b10 to '1', so that the3046* decimal point happens after the3047* previous digit.3048*/3049exp_b10 = 1;3050}30513052--cdigits;3053d = ch - 47; /* I.e. 1+(ch-48) */3054}30553056/* Did we reach the beginning? If so adjust the3057* exponent but take into account the leading3058* decimal point.3059*/3060if (d > 9) /* cdigits == 0 */3061{3062if (exp_b10 == (-1))3063{3064/* Leading decimal point (plus zeros?), if3065* we lose the decimal point here it must3066* be reentered below.3067*/3068int ch = *--ascii;30693070if (ch == 46)3071{3072++size; exp_b10 = 1;3073}30743075/* Else lost a leading zero, so 'exp_b10' is3076* still ok at (-1)3077*/3078}3079else3080++exp_b10;30813082/* In all cases we output a '1' */3083d = 1;3084}3085}3086}3087fp = 0; /* Guarantees termination below. */3088}30893090if (d == 0)3091{3092++czero;3093if (cdigits == 0) ++clead;3094}3095else3096{3097/* Included embedded zeros in the digit count. */3098cdigits += czero - clead;3099clead = 0;31003101while (czero > 0)3102{3103/* exp_b10 == (-1) means we just output the decimal3104* place - after the DP don't adjust 'exp_b10' any3105* more!3106*/3107if (exp_b10 != (-1))3108{3109if (exp_b10 == 0)3110{3111*ascii++ = 46; --size;3112}3113/* PLUS 1: TOTAL 4 */3114--exp_b10;3115}3116*ascii++ = 48; --czero;3117}31183119if (exp_b10 != (-1))3120{3121if (exp_b10 == 0)3122{3123*ascii++ = 46; --size; /* counted above */3124}31253126--exp_b10;3127}3128*ascii++ = (char)(48 + (int)d); ++cdigits;3129}3130}3131while (cdigits+czero < precision+clead && fp > DBL_MIN);31323133/* The total output count (max) is now 4+precision */31343135/* Check for an exponent, if we don't need one we are3136* done and just need to terminate the string. At3137* this point exp_b10==(-1) is effectively a flag - it got3138* to '-1' because of the decrement after outputting3139* the decimal point above (the exponent required is3140* *not* -1!)3141*/3142if (exp_b10 >= (-1) && exp_b10 <= 2)3143{3144/* The following only happens if we didn't output the3145* leading zeros above for negative exponent, so this3146* doesn't add to the digit requirement. Note that the3147* two zeros here can only be output if the two leading3148* zeros were *not* output, so this doesn't increase3149* the output count.3150*/3151while (exp_b10-- > 0) *ascii++ = 48;31523153*ascii = 0;31543155/* Total buffer requirement (including the '\0') is3156* 5+precision - see check at the start.3157*/3158return;3159}31603161/* Here if an exponent is required, adjust size for3162* the digits we output but did not count. The total3163* digit output here so far is at most 1+precision - no3164* decimal point and no leading or trailing zeros have3165* been output.3166*/3167size -= cdigits;31683169*ascii++ = 69; --size; /* 'E': PLUS 1 TOTAL 2+precision */31703171/* The following use of an unsigned temporary avoids ambiguities in3172* the signed arithmetic on exp_b10 and permits GCC at least to do3173* better optimization.3174*/3175{3176unsigned int uexp_b10;31773178if (exp_b10 < 0)3179{3180*ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */3181uexp_b10 = 0U-exp_b10;3182}31833184else3185uexp_b10 = 0U+exp_b10;31863187cdigits = 0;31883189while (uexp_b10 > 0)3190{3191exponent[cdigits++] = (char)(48 + uexp_b10 % 10);3192uexp_b10 /= 10;3193}3194}31953196/* Need another size check here for the exponent digits, so3197* this need not be considered above.3198*/3199if (size > cdigits)3200{3201while (cdigits > 0) *ascii++ = exponent[--cdigits];32023203*ascii = 0;32043205return;3206}3207}3208}3209else if (!(fp >= DBL_MIN))3210{3211*ascii++ = 48; /* '0' */3212*ascii = 0;3213return;3214}3215else3216{3217*ascii++ = 105; /* 'i' */3218*ascii++ = 110; /* 'n' */3219*ascii++ = 102; /* 'f' */3220*ascii = 0;3221return;3222}3223}32243225/* Here on buffer too small. */3226png_error(png_ptr, "ASCII conversion buffer too small");3227}3228#if GCC_STRICT_OVERFLOW3229#pragma GCC diagnostic pop3230#endif /* GCC_STRICT_OVERFLOW */32313232# endif /* FLOATING_POINT */32333234# ifdef PNG_FIXED_POINT_SUPPORTED3235/* Function to format a fixed point value in ASCII.3236*/3237void /* PRIVATE */3238png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,3239png_size_t size, png_fixed_point fp)3240{3241/* Require space for 10 decimal digits, a decimal point, a minus sign and a3242* trailing \0, 13 characters:3243*/3244if (size > 12)3245{3246png_uint_32 num;32473248/* Avoid overflow here on the minimum integer. */3249if (fp < 0)3250{3251*ascii++ = 45; num = (png_uint_32)(-fp);3252}3253else3254num = (png_uint_32)fp;32553256if (num <= 0x80000000) /* else overflowed */3257{3258unsigned int ndigits = 0, first = 16 /* flag value */;3259char digits[10];32603261while (num)3262{3263/* Split the low digit off num: */3264unsigned int tmp = num/10;3265num -= tmp*10;3266digits[ndigits++] = (char)(48 + num);3267/* Record the first non-zero digit, note that this is a number3268* starting at 1, it's not actually the array index.3269*/3270if (first == 16 && num > 0)3271first = ndigits;3272num = tmp;3273}32743275if (ndigits > 0)3276{3277while (ndigits > 5) *ascii++ = digits[--ndigits];3278/* The remaining digits are fractional digits, ndigits is '5' or3279* smaller at this point. It is certainly not zero. Check for a3280* non-zero fractional digit:3281*/3282if (first <= 5)3283{3284unsigned int i;3285*ascii++ = 46; /* decimal point */3286/* ndigits may be <5 for small numbers, output leading zeros3287* then ndigits digits to first:3288*/3289i = 5;3290while (ndigits < i)3291{3292*ascii++ = 48; --i;3293}3294while (ndigits >= first) *ascii++ = digits[--ndigits];3295/* Don't output the trailing zeros! */3296}3297}3298else3299*ascii++ = 48;33003301/* And null terminate the string: */3302*ascii = 0;3303return;3304}3305}33063307/* Here on buffer too small. */3308png_error(png_ptr, "ASCII conversion buffer too small");3309}3310# endif /* FIXED_POINT */3311#endif /* SCAL */33123313#if defined(PNG_FLOATING_POINT_SUPPORTED) && \3314!defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \3315(defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \3316defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \3317defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \3318(defined(PNG_sCAL_SUPPORTED) && \3319defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))3320png_fixed_point3321png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)3322{3323double r = floor(100000 * fp + .5);33243325if (r > 2147483647. || r < -2147483648.)3326png_fixed_error(png_ptr, text);33273328# ifndef PNG_ERROR_TEXT_SUPPORTED3329PNG_UNUSED(text)3330# endif33313332return (png_fixed_point)r;3333}3334#endif33353336#if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\3337defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)3338/* muldiv functions */3339/* This API takes signed arguments and rounds the result to the nearest3340* integer (or, for a fixed point number - the standard argument - to3341* the nearest .00001). Overflow and divide by zero are signalled in3342* the result, a boolean - true on success, false on overflow.3343*/3344#if GCC_STRICT_OVERFLOW /* from above */3345/* It is not obvious which comparison below gets optimized in such a way that3346* signed overflow would change the result; looking through the code does not3347* reveal any tests which have the form GCC complains about, so presumably the3348* optimizer is moving an add or subtract into the 'if' somewhere.3349*/3350#pragma GCC diagnostic push3351#pragma GCC diagnostic warning "-Wstrict-overflow=2"3352#endif /* GCC_STRICT_OVERFLOW */3353int3354png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,3355png_int_32 divisor)3356{3357/* Return a * times / divisor, rounded. */3358if (divisor != 0)3359{3360if (a == 0 || times == 0)3361{3362*res = 0;3363return 1;3364}3365else3366{3367#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED3368double r = a;3369r *= times;3370r /= divisor;3371r = floor(r+.5);33723373/* A png_fixed_point is a 32-bit integer. */3374if (r <= 2147483647. && r >= -2147483648.)3375{3376*res = (png_fixed_point)r;3377return 1;3378}3379#else3380int negative = 0;3381png_uint_32 A, T, D;3382png_uint_32 s16, s32, s00;33833384if (a < 0)3385negative = 1, A = -a;3386else3387A = a;33883389if (times < 0)3390negative = !negative, T = -times;3391else3392T = times;33933394if (divisor < 0)3395negative = !negative, D = -divisor;3396else3397D = divisor;33983399/* Following can't overflow because the arguments only3400* have 31 bits each, however the result may be 32 bits.3401*/3402s16 = (A >> 16) * (T & 0xffff) +3403(A & 0xffff) * (T >> 16);3404/* Can't overflow because the a*times bit is only 303405* bits at most.3406*/3407s32 = (A >> 16) * (T >> 16) + (s16 >> 16);3408s00 = (A & 0xffff) * (T & 0xffff);34093410s16 = (s16 & 0xffff) << 16;3411s00 += s16;34123413if (s00 < s16)3414++s32; /* carry */34153416if (s32 < D) /* else overflow */3417{3418/* s32.s00 is now the 64-bit product, do a standard3419* division, we know that s32 < D, so the maximum3420* required shift is 31.3421*/3422int bitshift = 32;3423png_fixed_point result = 0; /* NOTE: signed */34243425while (--bitshift >= 0)3426{3427png_uint_32 d32, d00;34283429if (bitshift > 0)3430d32 = D >> (32-bitshift), d00 = D << bitshift;34313432else3433d32 = 0, d00 = D;34343435if (s32 > d32)3436{3437if (s00 < d00) --s32; /* carry */3438s32 -= d32, s00 -= d00, result += 1<<bitshift;3439}34403441else3442if (s32 == d32 && s00 >= d00)3443s32 = 0, s00 -= d00, result += 1<<bitshift;3444}34453446/* Handle the rounding. */3447if (s00 >= (D >> 1))3448++result;34493450if (negative != 0)3451result = -result;34523453/* Check for overflow. */3454if ((negative != 0 && result <= 0) ||3455(negative == 0 && result >= 0))3456{3457*res = result;3458return 1;3459}3460}3461#endif3462}3463}34643465return 0;3466}3467#if GCC_STRICT_OVERFLOW3468#pragma GCC diagnostic pop3469#endif /* GCC_STRICT_OVERFLOW */3470#endif /* READ_GAMMA || INCH_CONVERSIONS */34713472#if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)3473/* The following is for when the caller doesn't much care about the3474* result.3475*/3476png_fixed_point3477png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,3478png_int_32 divisor)3479{3480png_fixed_point result;34813482if (png_muldiv(&result, a, times, divisor) != 0)3483return result;34843485png_warning(png_ptr, "fixed point overflow ignored");3486return 0;3487}3488#endif34893490#ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */3491/* Calculate a reciprocal, return 0 on div-by-zero or overflow. */3492png_fixed_point3493png_reciprocal(png_fixed_point a)3494{3495#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED3496double r = floor(1E10/a+.5);34973498if (r <= 2147483647. && r >= -2147483648.)3499return (png_fixed_point)r;3500#else3501png_fixed_point res;35023503if (png_muldiv(&res, 100000, 100000, a) != 0)3504return res;3505#endif35063507return 0; /* error/overflow */3508}35093510/* This is the shared test on whether a gamma value is 'significant' - whether3511* it is worth doing gamma correction.3512*/3513int /* PRIVATE */3514png_gamma_significant(png_fixed_point gamma_val)3515{3516return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||3517gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;3518}3519#endif35203521#ifdef PNG_READ_GAMMA_SUPPORTED3522#ifdef PNG_16BIT_SUPPORTED3523/* A local convenience routine. */3524static png_fixed_point3525png_product2(png_fixed_point a, png_fixed_point b)3526{3527/* The required result is 1/a * 1/b; the following preserves accuracy. */3528#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED3529double r = a * 1E-5;3530r *= b;3531r = floor(r+.5);35323533if (r <= 2147483647. && r >= -2147483648.)3534return (png_fixed_point)r;3535#else3536png_fixed_point res;35373538if (png_muldiv(&res, a, b, 100000) != 0)3539return res;3540#endif35413542return 0; /* overflow */3543}3544#endif /* 16BIT */35453546/* The inverse of the above. */3547png_fixed_point3548png_reciprocal2(png_fixed_point a, png_fixed_point b)3549{3550/* The required result is 1/a * 1/b; the following preserves accuracy. */3551#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED3552if (a != 0 && b != 0)3553{3554double r = 1E15/a;3555r /= b;3556r = floor(r+.5);35573558if (r <= 2147483647. && r >= -2147483648.)3559return (png_fixed_point)r;3560}3561#else3562/* This may overflow because the range of png_fixed_point isn't symmetric,3563* but this API is only used for the product of file and screen gamma so it3564* doesn't matter that the smallest number it can produce is 1/21474, not3565* 1/1000003566*/3567png_fixed_point res = png_product2(a, b);35683569if (res != 0)3570return png_reciprocal(res);3571#endif35723573return 0; /* overflow */3574}3575#endif /* READ_GAMMA */35763577#ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */3578#ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED3579/* Fixed point gamma.3580*3581* The code to calculate the tables used below can be found in the shell script3582* contrib/tools/intgamma.sh3583*3584* To calculate gamma this code implements fast log() and exp() calls using only3585* fixed point arithmetic. This code has sufficient precision for either 8-bit3586* or 16-bit sample values.3587*3588* The tables used here were calculated using simple 'bc' programs, but C double3589* precision floating point arithmetic would work fine.3590*3591* 8-bit log table3592* This is a table of -log(value/255)/log(2) for 'value' in the range 128 to3593* 255, so it's the base 2 logarithm of a normalized 8-bit floating point3594* mantissa. The numbers are 32-bit fractions.3595*/3596static const png_uint_323597png_8bit_l2[128] =3598{35994270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,36003986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,36013715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,36023455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,36033205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,36042965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,36052735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,36062512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,36072297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,36082089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,36091888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,36101694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,36111505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,36121322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,36131144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,3614971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,3615803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,3616639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,3617479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,3618324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,3619172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,362024347096U, 0U36213622#if 03623/* The following are the values for 16-bit tables - these work fine for the3624* 8-bit conversions but produce very slightly larger errors in the 16-bit3625* log (about 1.2 as opposed to 0.7 absolute error in the final value). To3626* use these all the shifts below must be adjusted appropriately.3627*/362865166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,362957371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,363050170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,363143479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,363237230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,363331369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,363425850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,363520636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,363615694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,363710997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,36386127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,36391119, 744, 3723640#endif3641};36423643static png_int_323644png_log8bit(unsigned int x)3645{3646unsigned int lg2 = 0;3647/* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,3648* because the log is actually negate that means adding 1. The final3649* returned value thus has the range 0 (for 255 input) to 7.994 (for 13650* input), return -1 for the overflow (log 0) case, - so the result is3651* always at most 19 bits.3652*/3653if ((x &= 0xff) == 0)3654return -1;36553656if ((x & 0xf0) == 0)3657lg2 = 4, x <<= 4;36583659if ((x & 0xc0) == 0)3660lg2 += 2, x <<= 2;36613662if ((x & 0x80) == 0)3663lg2 += 1, x <<= 1;36643665/* result is at most 19 bits, so this cast is safe: */3666return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));3667}36683669/* The above gives exact (to 16 binary places) log2 values for 8-bit images,3670* for 16-bit images we use the most significant 8 bits of the 16-bit value to3671* get an approximation then multiply the approximation by a correction factor3672* determined by the remaining up to 8 bits. This requires an additional step3673* in the 16-bit case.3674*3675* We want log2(value/65535), we have log2(v'/255), where:3676*3677* value = v' * 256 + v''3678* = v' * f3679*3680* So f is value/v', which is equal to (256+v''/v') since v' is in the range 1283681* to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less3682* than 258. The final factor also needs to correct for the fact that our 8-bit3683* value is scaled by 255, whereas the 16-bit values must be scaled by 65535.3684*3685* This gives a final formula using a calculated value 'x' which is value/v' and3686* scaling by 65536 to match the above table:3687*3688* log2(x/257) * 655363689*3690* Since these numbers are so close to '1' we can use simple linear3691* interpolation between the two end values 256/257 (result -368.61) and 258/2573692* (result 367.179). The values used below are scaled by a further 64 to give3693* 16-bit precision in the interpolation:3694*3695* Start (256): -235913696* Zero (257): 03697* End (258): 234993698*/3699#ifdef PNG_16BIT_SUPPORTED3700static png_int_323701png_log16bit(png_uint_32 x)3702{3703unsigned int lg2 = 0;37043705/* As above, but now the input has 16 bits. */3706if ((x &= 0xffff) == 0)3707return -1;37083709if ((x & 0xff00) == 0)3710lg2 = 8, x <<= 8;37113712if ((x & 0xf000) == 0)3713lg2 += 4, x <<= 4;37143715if ((x & 0xc000) == 0)3716lg2 += 2, x <<= 2;37173718if ((x & 0x8000) == 0)3719lg2 += 1, x <<= 1;37203721/* Calculate the base logarithm from the top 8 bits as a 28-bit fractional3722* value.3723*/3724lg2 <<= 28;3725lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;37263727/* Now we need to interpolate the factor, this requires a division by the top3728* 8 bits. Do this with maximum precision.3729*/3730x = ((x << 16) + (x >> 9)) / (x >> 8);37313732/* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,3733* the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly3734* 16 bits to interpolate to get the low bits of the result. Round the3735* answer. Note that the end point values are scaled by 64 to retain overall3736* precision and that 'lg2' is current scaled by an extra 12 bits, so adjust3737* the overall scaling by 6-12. Round at every step.3738*/3739x -= 1U << 24;37403741if (x <= 65536U) /* <= '257' */3742lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);37433744else3745lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);37463747/* Safe, because the result can't have more than 20 bits: */3748return (png_int_32)((lg2 + 2048) >> 12);3749}3750#endif /* 16BIT */37513752/* The 'exp()' case must invert the above, taking a 20-bit fixed point3753* logarithmic value and returning a 16 or 8-bit number as appropriate. In3754* each case only the low 16 bits are relevant - the fraction - since the3755* integer bits (the top 4) simply determine a shift.3756*3757* The worst case is the 16-bit distinction between 65535 and 65534. This3758* requires perhaps spurious accuracy in the decoding of the logarithm to3759* distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance3760* of getting this accuracy in practice.3761*3762* To deal with this the following exp() function works out the exponent of the3763* fractional part of the logarithm by using an accurate 32-bit value from the3764* top four fractional bits then multiplying in the remaining bits.3765*/3766static const png_uint_323767png_32bit_exp[16] =3768{3769/* NOTE: the first entry is deliberately set to the maximum 32-bit value. */37704294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,37713311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,37722553802834U, 2445529972U, 2341847524U, 2242560872U3773};37743775/* Adjustment table; provided to explain the numbers in the code below. */3776#if 03777for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}377811 44937.64284865548751208448377910 45180.9873484558510116044837809 45303.3193698068735931187237818 45364.6511059532301887078437827 45395.3585036178962461491237836 45410.7225971510203750809637845 45418.4072441322072231116837854 45422.2502178689817300172837863 45424.1718673229841904435237872 45425.1327326994081146470437881 45425.6131755503555864166437890 45425.853399516549438504963790#endif37913792static png_uint_323793png_exp(png_fixed_point x)3794{3795if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */3796{3797/* Obtain a 4-bit approximation */3798png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];37993800/* Incorporate the low 12 bits - these decrease the returned value by3801* multiplying by a number less than 1 if the bit is set. The multiplier3802* is determined by the above table and the shift. Notice that the values3803* converge on 45426 and this is used to allow linear interpolation of the3804* low bits.3805*/3806if (x & 0x800)3807e -= (((e >> 16) * 44938U) + 16U) >> 5;38083809if (x & 0x400)3810e -= (((e >> 16) * 45181U) + 32U) >> 6;38113812if (x & 0x200)3813e -= (((e >> 16) * 45303U) + 64U) >> 7;38143815if (x & 0x100)3816e -= (((e >> 16) * 45365U) + 128U) >> 8;38173818if (x & 0x080)3819e -= (((e >> 16) * 45395U) + 256U) >> 9;38203821if (x & 0x040)3822e -= (((e >> 16) * 45410U) + 512U) >> 10;38233824/* And handle the low 6 bits in a single block. */3825e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;38263827/* Handle the upper bits of x. */3828e >>= x >> 16;3829return e;3830}38313832/* Check for overflow */3833if (x <= 0)3834return png_32bit_exp[0];38353836/* Else underflow */3837return 0;3838}38393840static png_byte3841png_exp8bit(png_fixed_point lg2)3842{3843/* Get a 32-bit value: */3844png_uint_32 x = png_exp(lg2);38453846/* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the3847* second, rounding, step can't overflow because of the first, subtraction,3848* step.3849*/3850x -= x >> 8;3851return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);3852}38533854#ifdef PNG_16BIT_SUPPORTED3855static png_uint_163856png_exp16bit(png_fixed_point lg2)3857{3858/* Get a 32-bit value: */3859png_uint_32 x = png_exp(lg2);38603861/* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */3862x -= x >> 16;3863return (png_uint_16)((x + 32767U) >> 16);3864}3865#endif /* 16BIT */3866#endif /* FLOATING_ARITHMETIC */38673868png_byte3869png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)3870{3871if (value > 0 && value < 255)3872{3873# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED3874/* 'value' is unsigned, ANSI-C90 requires the compiler to correctly3875* convert this to a floating point value. This includes values that3876* would overflow if 'value' were to be converted to 'int'.3877*3878* Apparently GCC, however, does an intermediate conversion to (int)3879* on some (ARM) but not all (x86) platforms, possibly because of3880* hardware FP limitations. (E.g. if the hardware conversion always3881* assumes the integer register contains a signed value.) This results3882* in ANSI-C undefined behavior for large values.3883*3884* Other implementations on the same machine might actually be ANSI-C903885* conformant and therefore compile spurious extra code for the large3886* values.3887*3888* We can be reasonably sure that an unsigned to float conversion3889* won't be faster than an int to float one. Therefore this code3890* assumes responsibility for the undefined behavior, which it knows3891* can't happen because of the check above.3892*3893* Note the argument to this routine is an (unsigned int) because, on3894* 16-bit platforms, it is assigned a value which might be out of3895* range for an (int); that would result in undefined behavior in the3896* caller if the *argument* ('value') were to be declared (int).3897*/3898double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);3899return (png_byte)r;3900# else3901png_int_32 lg2 = png_log8bit(value);3902png_fixed_point res;39033904if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)3905return png_exp8bit(res);39063907/* Overflow. */3908value = 0;3909# endif3910}39113912return (png_byte)(value & 0xff);3913}39143915#ifdef PNG_16BIT_SUPPORTED3916png_uint_163917png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)3918{3919if (value > 0 && value < 65535)3920{3921# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED3922/* The same (unsigned int)->(double) constraints apply here as above,3923* however in this case the (unsigned int) to (int) conversion can3924* overflow on an ANSI-C90 compliant system so the cast needs to ensure3925* that this is not possible.3926*/3927double r = floor(65535*pow((png_int_32)value/65535.,3928gamma_val*.00001)+.5);3929return (png_uint_16)r;3930# else3931png_int_32 lg2 = png_log16bit(value);3932png_fixed_point res;39333934if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)3935return png_exp16bit(res);39363937/* Overflow. */3938value = 0;3939# endif3940}39413942return (png_uint_16)value;3943}3944#endif /* 16BIT */39453946/* This does the right thing based on the bit_depth field of the3947* png_struct, interpreting values as 8-bit or 16-bit. While the result3948* is nominally a 16-bit value if bit depth is 8 then the result is3949* 8-bit (as are the arguments.)3950*/3951png_uint_16 /* PRIVATE */3952png_gamma_correct(png_structrp png_ptr, unsigned int value,3953png_fixed_point gamma_val)3954{3955if (png_ptr->bit_depth == 8)3956return png_gamma_8bit_correct(value, gamma_val);39573958#ifdef PNG_16BIT_SUPPORTED3959else3960return png_gamma_16bit_correct(value, gamma_val);3961#else3962/* should not reach this */3963return 0;3964#endif /* 16BIT */3965}39663967#ifdef PNG_16BIT_SUPPORTED3968/* Internal function to build a single 16-bit table - the table consists of3969* 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount3970* to shift the input values right (or 16-number_of_signifiant_bits).3971*3972* The caller is responsible for ensuring that the table gets cleaned up on3973* png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument3974* should be somewhere that will be cleaned.3975*/3976static void3977png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,3978PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)3979{3980/* Various values derived from 'shift': */3981PNG_CONST unsigned int num = 1U << (8U - shift);3982#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED3983/* CSE the division and work round wacky GCC warnings (see the comments3984* in png_gamma_8bit_correct for where these come from.)3985*/3986PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1);3987#endif3988PNG_CONST unsigned int max = (1U << (16U - shift))-1U;3989PNG_CONST unsigned int max_by_2 = 1U << (15U-shift);3990unsigned int i;39913992png_uint_16pp table = *ptable =3993(png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));39943995for (i = 0; i < num; i++)3996{3997png_uint_16p sub_table = table[i] =3998(png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));39994000/* The 'threshold' test is repeated here because it can arise for one of4001* the 16-bit tables even if the others don't hit it.4002*/4003if (png_gamma_significant(gamma_val) != 0)4004{4005/* The old code would overflow at the end and this would cause the4006* 'pow' function to return a result >1, resulting in an4007* arithmetic error. This code follows the spec exactly; ig is4008* the recovered input sample, it always has 8-16 bits.4009*4010* We want input * 65535/max, rounded, the arithmetic fits in 324011* bits (unsigned) so long as max <= 32767.4012*/4013unsigned int j;4014for (j = 0; j < 256; j++)4015{4016png_uint_32 ig = (j << (8-shift)) + i;4017# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED4018/* Inline the 'max' scaling operation: */4019/* See png_gamma_8bit_correct for why the cast to (int) is4020* required here.4021*/4022double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);4023sub_table[j] = (png_uint_16)d;4024# else4025if (shift != 0)4026ig = (ig * 65535U + max_by_2)/max;40274028sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);4029# endif4030}4031}4032else4033{4034/* We must still build a table, but do it the fast way. */4035unsigned int j;40364037for (j = 0; j < 256; j++)4038{4039png_uint_32 ig = (j << (8-shift)) + i;40404041if (shift != 0)4042ig = (ig * 65535U + max_by_2)/max;40434044sub_table[j] = (png_uint_16)ig;4045}4046}4047}4048}40494050/* NOTE: this function expects the *inverse* of the overall gamma transformation4051* required.4052*/4053static void4054png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,4055PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)4056{4057PNG_CONST unsigned int num = 1U << (8U - shift);4058PNG_CONST unsigned int max = (1U << (16U - shift))-1U;4059unsigned int i;4060png_uint_32 last;40614062png_uint_16pp table = *ptable =4063(png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));40644065/* 'num' is the number of tables and also the number of low bits of low4066* bits of the input 16-bit value used to select a table. Each table is4067* itself indexed by the high 8 bits of the value.4068*/4069for (i = 0; i < num; i++)4070table[i] = (png_uint_16p)png_malloc(png_ptr,4071256 * (sizeof (png_uint_16)));40724073/* 'gamma_val' is set to the reciprocal of the value calculated above, so4074* pow(out,g) is an *input* value. 'last' is the last input value set.4075*4076* In the loop 'i' is used to find output values. Since the output is4077* 8-bit there are only 256 possible values. The tables are set up to4078* select the closest possible output value for each input by finding4079* the input value at the boundary between each pair of output values4080* and filling the table up to that boundary with the lower output4081* value.4082*4083* The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit4084* values the code below uses a 16-bit value in i; the values start at4085* 128.5 (for 0.5) and step by 257, for a total of 254 values (the last4086* entries are filled with 255). Start i at 128 and fill all 'last'4087* table entries <= 'max'4088*/4089last = 0;4090for (i = 0; i < 255; ++i) /* 8-bit output value */4091{4092/* Find the corresponding maximum input value */4093png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */40944095/* Find the boundary value in 16 bits: */4096png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);40974098/* Adjust (round) to (16-shift) bits: */4099bound = (bound * max + 32768U)/65535U + 1U;41004101while (last < bound)4102{4103table[last & (0xffU >> shift)][last >> (8U - shift)] = out;4104last++;4105}4106}41074108/* And fill in the final entries. */4109while (last < (num << 8))4110{4111table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;4112last++;4113}4114}4115#endif /* 16BIT */41164117/* Build a single 8-bit table: same as the 16-bit case but much simpler (and4118* typically much faster). Note that libpng currently does no sBIT processing4119* (apparently contrary to the spec) so a 256-entry table is always generated.4120*/4121static void4122png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,4123PNG_CONST png_fixed_point gamma_val)4124{4125unsigned int i;4126png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);41274128if (png_gamma_significant(gamma_val) != 0)4129for (i=0; i<256; i++)4130table[i] = png_gamma_8bit_correct(i, gamma_val);41314132else4133for (i=0; i<256; ++i)4134table[i] = (png_byte)(i & 0xff);4135}41364137/* Used from png_read_destroy and below to release the memory used by the gamma4138* tables.4139*/4140void /* PRIVATE */4141png_destroy_gamma_table(png_structrp png_ptr)4142{4143png_free(png_ptr, png_ptr->gamma_table);4144png_ptr->gamma_table = NULL;41454146#ifdef PNG_16BIT_SUPPORTED4147if (png_ptr->gamma_16_table != NULL)4148{4149int i;4150int istop = (1 << (8 - png_ptr->gamma_shift));4151for (i = 0; i < istop; i++)4152{4153png_free(png_ptr, png_ptr->gamma_16_table[i]);4154}4155png_free(png_ptr, png_ptr->gamma_16_table);4156png_ptr->gamma_16_table = NULL;4157}4158#endif /* 16BIT */41594160#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \4161defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \4162defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)4163png_free(png_ptr, png_ptr->gamma_from_1);4164png_ptr->gamma_from_1 = NULL;4165png_free(png_ptr, png_ptr->gamma_to_1);4166png_ptr->gamma_to_1 = NULL;41674168#ifdef PNG_16BIT_SUPPORTED4169if (png_ptr->gamma_16_from_1 != NULL)4170{4171int i;4172int istop = (1 << (8 - png_ptr->gamma_shift));4173for (i = 0; i < istop; i++)4174{4175png_free(png_ptr, png_ptr->gamma_16_from_1[i]);4176}4177png_free(png_ptr, png_ptr->gamma_16_from_1);4178png_ptr->gamma_16_from_1 = NULL;4179}4180if (png_ptr->gamma_16_to_1 != NULL)4181{4182int i;4183int istop = (1 << (8 - png_ptr->gamma_shift));4184for (i = 0; i < istop; i++)4185{4186png_free(png_ptr, png_ptr->gamma_16_to_1[i]);4187}4188png_free(png_ptr, png_ptr->gamma_16_to_1);4189png_ptr->gamma_16_to_1 = NULL;4190}4191#endif /* 16BIT */4192#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */4193}41944195/* We build the 8- or 16-bit gamma tables here. Note that for 16-bit4196* tables, we don't make a full table if we are reducing to 8-bit in4197* the future. Note also how the gamma_16 tables are segmented so that4198* we don't need to allocate > 64K chunks for a full 16-bit table.4199*/4200void /* PRIVATE */4201png_build_gamma_table(png_structrp png_ptr, int bit_depth)4202{4203png_debug(1, "in png_build_gamma_table");42044205/* Remove any existing table; this copes with multiple calls to4206* png_read_update_info. The warning is because building the gamma tables4207* multiple times is a performance hit - it's harmless but the ability to4208* call png_read_update_info() multiple times is new in 1.5.6 so it seems4209* sensible to warn if the app introduces such a hit.4210*/4211if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)4212{4213png_warning(png_ptr, "gamma table being rebuilt");4214png_destroy_gamma_table(png_ptr);4215}42164217if (bit_depth <= 8)4218{4219png_build_8bit_table(png_ptr, &png_ptr->gamma_table,4220png_ptr->screen_gamma > 0 ?4221png_reciprocal2(png_ptr->colorspace.gamma,4222png_ptr->screen_gamma) : PNG_FP_1);42234224#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \4225defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \4226defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)4227if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)4228{4229png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,4230png_reciprocal(png_ptr->colorspace.gamma));42314232png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,4233png_ptr->screen_gamma > 0 ?4234png_reciprocal(png_ptr->screen_gamma) :4235png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);4236}4237#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */4238}4239#ifdef PNG_16BIT_SUPPORTED4240else4241{4242png_byte shift, sig_bit;42434244if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)4245{4246sig_bit = png_ptr->sig_bit.red;42474248if (png_ptr->sig_bit.green > sig_bit)4249sig_bit = png_ptr->sig_bit.green;42504251if (png_ptr->sig_bit.blue > sig_bit)4252sig_bit = png_ptr->sig_bit.blue;4253}4254else4255sig_bit = png_ptr->sig_bit.gray;42564257/* 16-bit gamma code uses this equation:4258*4259* ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]4260*4261* Where 'iv' is the input color value and 'ov' is the output value -4262* pow(iv, gamma).4263*4264* Thus the gamma table consists of up to 256 256-entry tables. The table4265* is selected by the (8-gamma_shift) most significant of the low 8 bits4266* of the color value then indexed by the upper 8 bits:4267*4268* table[low bits][high 8 bits]4269*4270* So the table 'n' corresponds to all those 'iv' of:4271*4272* <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>4273*4274*/4275if (sig_bit > 0 && sig_bit < 16U)4276/* shift == insignificant bits */4277shift = (png_byte)((16U - sig_bit) & 0xff);42784279else4280shift = 0; /* keep all 16 bits */42814282if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)4283{4284/* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively4285* the significant bits in the *input* when the output will4286* eventually be 8 bits. By default it is 11.4287*/4288if (shift < (16U - PNG_MAX_GAMMA_8))4289shift = (16U - PNG_MAX_GAMMA_8);4290}42914292if (shift > 8U)4293shift = 8U; /* Guarantees at least one table! */42944295png_ptr->gamma_shift = shift;42964297/* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now4298* PNG_COMPOSE). This effectively smashed the background calculation for4299* 16-bit output because the 8-bit table assumes the result will be4300* reduced to 8 bits.4301*/4302if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)4303png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,4304png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,4305png_ptr->screen_gamma) : PNG_FP_1);43064307else4308png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,4309png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,4310png_ptr->screen_gamma) : PNG_FP_1);43114312#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \4313defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \4314defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)4315if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)4316{4317png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,4318png_reciprocal(png_ptr->colorspace.gamma));43194320/* Notice that the '16 from 1' table should be full precision, however4321* the lookup on this table still uses gamma_shift, so it can't be.4322* TODO: fix this.4323*/4324png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,4325png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :4326png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);4327}4328#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */4329}4330#endif /* 16BIT */4331}4332#endif /* READ_GAMMA */43334334/* HARDWARE OR SOFTWARE OPTION SUPPORT */4335#ifdef PNG_SET_OPTION_SUPPORTED4336int PNGAPI4337png_set_option(png_structrp png_ptr, int option, int onoff)4338{4339if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&4340(option & 1) == 0)4341{4342png_uint_32 mask = 3U << option;4343png_uint_32 setting = (2U + (onoff != 0)) << option;4344png_uint_32 current = png_ptr->options;43454346png_ptr->options = (png_uint_32)(((current & ~mask) | setting) & 0xff);43474348return (int)(current & mask) >> option;4349}43504351return PNG_OPTION_INVALID;4352}4353#endif43544355/* sRGB support */4356#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\4357defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)4358/* sRGB conversion tables; these are machine generated with the code in4359* contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the4360* specification (see the article at https://en.wikipedia.org/wiki/SRGB)4361* is used, not the gamma=1/2.2 approximation use elsewhere in libpng.4362* The sRGB to linear table is exact (to the nearest 16-bit linear fraction).4363* The inverse (linear to sRGB) table has accuracies as follows:4364*4365* For all possible (255*65535+1) input values:4366*4367* error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact4368*4369* For the input values corresponding to the 65536 16-bit values:4370*4371* error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact4372*4373* In all cases the inexact readings are only off by one.4374*/43754376#ifdef PNG_SIMPLIFIED_READ_SUPPORTED4377/* The convert-to-sRGB table is only currently required for read. */4378const png_uint_16 png_sRGB_table[256] =4379{43800,20,40,60,80,99,119,139,4381159,179,199,219,241,264,288,313,4382340,367,396,427,458,491,526,562,4383599,637,677,718,761,805,851,898,4384947,997,1048,1101,1156,1212,1270,1330,43851391,1453,1517,1583,1651,1720,1790,1863,43861937,2013,2090,2170,2250,2333,2418,2504,43872592,2681,2773,2866,2961,3058,3157,3258,43883360,3464,3570,3678,3788,3900,4014,4129,43894247,4366,4488,4611,4736,4864,4993,5124,43905257,5392,5530,5669,5810,5953,6099,6246,43916395,6547,6700,6856,7014,7174,7335,7500,43927666,7834,8004,8177,8352,8528,8708,8889,43939072,9258,9445,9635,9828,10022,10219,10417,439410619,10822,11028,11235,11446,11658,11873,12090,439512309,12530,12754,12980,13209,13440,13673,13909,439614146,14387,14629,14874,15122,15371,15623,15878,439716135,16394,16656,16920,17187,17456,17727,18001,439818277,18556,18837,19121,19407,19696,19987,20281,439920577,20876,21177,21481,21787,22096,22407,22721,440023038,23357,23678,24002,24329,24658,24990,25325,440125662,26001,26344,26688,27036,27386,27739,28094,440228452,28813,29176,29542,29911,30282,30656,31033,440331412,31794,32179,32567,32957,33350,33745,34143,440434544,34948,35355,35764,36176,36591,37008,37429,440537852,38278,38706,39138,39572,40009,40449,40891,440641337,41785,42236,42690,43147,43606,44069,44534,440745002,45473,45947,46423,46903,47385,47871,48359,440848850,49344,49841,50341,50844,51349,51858,52369,440952884,53401,53921,54445,54971,55500,56032,56567,441057105,57646,58190,58737,59287,59840,60396,60955,441161517,62082,62650,63221,63795,64372,64952,655354412};4413#endif /* SIMPLIFIED_READ */44144415/* The base/delta tables are required for both read and write (but currently4416* only the simplified versions.)4417*/4418const png_uint_16 png_sRGB_base[512] =4419{4420128,1782,3383,4644,5675,6564,7357,8074,44218732,9346,9921,10463,10977,11466,11935,12384,442212816,13233,13634,14024,14402,14769,15125,15473,442315812,16142,16466,16781,17090,17393,17690,17981,442418266,18546,18822,19093,19359,19621,19879,20133,442520383,20630,20873,21113,21349,21583,21813,22041,442622265,22487,22707,22923,23138,23350,23559,23767,442723972,24175,24376,24575,24772,24967,25160,25352,442825542,25730,25916,26101,26284,26465,26645,26823,442927000,27176,27350,27523,27695,27865,28034,28201,443028368,28533,28697,28860,29021,29182,29341,29500,443129657,29813,29969,30123,30276,30429,30580,30730,443230880,31028,31176,31323,31469,31614,31758,31902,443332045,32186,32327,32468,32607,32746,32884,33021,443433158,33294,33429,33564,33697,33831,33963,34095,443534226,34357,34486,34616,34744,34873,35000,35127,443635253,35379,35504,35629,35753,35876,35999,36122,443736244,36365,36486,36606,36726,36845,36964,37083,443837201,37318,37435,37551,37668,37783,37898,38013,443938127,38241,38354,38467,38580,38692,38803,38915,444039026,39136,39246,39356,39465,39574,39682,39790,444139898,40005,40112,40219,40325,40431,40537,40642,444240747,40851,40955,41059,41163,41266,41369,41471,444341573,41675,41777,41878,41979,42079,42179,42279,444442379,42478,42577,42676,42775,42873,42971,43068,444543165,43262,43359,43456,43552,43648,43743,43839,444643934,44028,44123,44217,44311,44405,44499,44592,444744685,44778,44870,44962,45054,45146,45238,45329,444845420,45511,45601,45692,45782,45872,45961,46051,444946140,46229,46318,46406,46494,46583,46670,46758,445046846,46933,47020,47107,47193,47280,47366,47452,445147538,47623,47709,47794,47879,47964,48048,48133,445248217,48301,48385,48468,48552,48635,48718,48801,445348884,48966,49048,49131,49213,49294,49376,49458,445449539,49620,49701,49782,49862,49943,50023,50103,445550183,50263,50342,50422,50501,50580,50659,50738,445650816,50895,50973,51051,51129,51207,51285,51362,445751439,51517,51594,51671,51747,51824,51900,51977,445852053,52129,52205,52280,52356,52432,52507,52582,445952657,52732,52807,52881,52956,53030,53104,53178,446053252,53326,53400,53473,53546,53620,53693,53766,446153839,53911,53984,54056,54129,54201,54273,54345,446254417,54489,54560,54632,54703,54774,54845,54916,446354987,55058,55129,55199,55269,55340,55410,55480,446455550,55620,55689,55759,55828,55898,55967,56036,446556105,56174,56243,56311,56380,56448,56517,56585,446656653,56721,56789,56857,56924,56992,57059,57127,446757194,57261,57328,57395,57462,57529,57595,57662,446857728,57795,57861,57927,57993,58059,58125,58191,446958256,58322,58387,58453,58518,58583,58648,58713,447058778,58843,58908,58972,59037,59101,59165,59230,447159294,59358,59422,59486,59549,59613,59677,59740,447259804,59867,59930,59993,60056,60119,60182,60245,447360308,60370,60433,60495,60558,60620,60682,60744,447460806,60868,60930,60992,61054,61115,61177,61238,447561300,61361,61422,61483,61544,61605,61666,61727,447661788,61848,61909,61969,62030,62090,62150,62211,447762271,62331,62391,62450,62510,62570,62630,62689,447862749,62808,62867,62927,62986,63045,63104,63163,447963222,63281,63340,63398,63457,63515,63574,63632,448063691,63749,63807,63865,63923,63981,64039,64097,448164155,64212,64270,64328,64385,64443,64500,64557,448264614,64672,64729,64786,64843,64900,64956,65013,448365070,65126,65183,65239,65296,65352,65409,654654484};44854486const png_byte png_sRGB_delta[512] =4487{4488207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,448952,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,449035,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,449128,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,449223,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,449321,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,449419,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,449517,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,449616,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,449715,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,449814,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,449913,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,450012,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,450112,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,450211,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,450311,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,450411,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,450510,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,450610,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,450710,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,45089,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,45099,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,45109,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,45119,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,45128,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,45138,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,45148,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,45158,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,45168,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,45177,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,45187,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,45197,7,7,7,7,7,7,7,7,7,7,7,7,7,7,74520};4521#endif /* SIMPLIFIED READ/WRITE sRGB support */45224523/* SIMPLIFIED READ/WRITE SUPPORT */4524#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\4525defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)4526static int4527png_image_free_function(png_voidp argument)4528{4529png_imagep image = png_voidcast(png_imagep, argument);4530png_controlp cp = image->opaque;4531png_control c;45324533/* Double check that we have a png_ptr - it should be impossible to get here4534* without one.4535*/4536if (cp->png_ptr == NULL)4537return 0;45384539/* First free any data held in the control structure. */4540# ifdef PNG_STDIO_SUPPORTED4541if (cp->owned_file != 0)4542{4543FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);4544cp->owned_file = 0;45454546/* Ignore errors here. */4547if (fp != NULL)4548{4549cp->png_ptr->io_ptr = NULL;4550(void)fclose(fp);4551}4552}4553# endif45544555/* Copy the control structure so that the original, allocated, version can be4556* safely freed. Notice that a png_error here stops the remainder of the4557* cleanup, but this is probably fine because that would indicate bad memory4558* problems anyway.4559*/4560c = *cp;4561image->opaque = &c;4562png_free(c.png_ptr, cp);45634564/* Then the structures, calling the correct API. */4565if (c.for_write != 0)4566{4567# ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED4568png_destroy_write_struct(&c.png_ptr, &c.info_ptr);4569# else4570png_error(c.png_ptr, "simplified write not supported");4571# endif4572}4573else4574{4575# ifdef PNG_SIMPLIFIED_READ_SUPPORTED4576png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);4577# else4578png_error(c.png_ptr, "simplified read not supported");4579# endif4580}45814582/* Success. */4583return 1;4584}45854586void PNGAPI4587png_image_free(png_imagep image)4588{4589/* Safely call the real function, but only if doing so is safe at this point4590* (if not inside an error handling context). Otherwise assume4591* png_safe_execute will call this API after the return.4592*/4593if (image != NULL && image->opaque != NULL &&4594image->opaque->error_buf == NULL)4595{4596/* Ignore errors here: */4597(void)png_safe_execute(image, png_image_free_function, image);4598image->opaque = NULL;4599}4600}46014602int /* PRIVATE */4603png_image_error(png_imagep image, png_const_charp error_message)4604{4605/* Utility to log an error. */4606png_safecat(image->message, (sizeof image->message), 0, error_message);4607image->warning_or_error |= PNG_IMAGE_ERROR;4608png_image_free(image);4609return 0;4610}46114612#endif /* SIMPLIFIED READ/WRITE */4613#endif /* READ || WRITE */461446154616