1
/* pngrutil.c - utilities to read a PNG file
2
 *
3
 * Copyright (c) 2018-2025 Cosmin Truta
4
 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
5
 * Copyright (c) 1996-1997 Andreas Dilger
6
 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
7
 *
8
 * This code is released under the libpng license.
9
 * For conditions of distribution and use, see the disclaimer
10
 * and license in png.h
11
 *
12
 * This file contains routines that are only called from within
13
 * libpng itself during the course of reading an image.
14
 */
15

16
#include "pngpriv.h"
17

18
#ifdef PNG_READ_SUPPORTED
19

20
/* The minimum 'zlib' stream is assumed to be just the 2 byte header, 5 bytes
21
 * minimum 'deflate' stream, and the 4 byte checksum.
22
 */
23
#define LZ77Min  (2U+5U+4U)
24

25
#ifdef PNG_READ_INTERLACING_SUPPORTED
26
/* Arrays to facilitate interlacing - use pass (0 - 6) as index. */
27

28
/* Start of interlace block */
29
static const png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
30
/* Offset to next interlace block */
31
static const png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
32
/* Start of interlace block in the y direction */
33
static const png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
34
/* Offset to next interlace block in the y direction */
35
static const png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
36

37
/* TODO: Move these arrays to a common utility module to avoid duplication. */
38
#endif
39

40
png_uint_32 PNGAPI
41
png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
42
{
43
   png_uint_32 uval = png_get_uint_32(buf);
44

45
   if (uval > PNG_UINT_31_MAX)
46
      png_error(png_ptr, "PNG unsigned integer out of range");
47

48
   return uval;
49
}
50

51
#ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
52
/* NOTE: the read macros will obscure these definitions, so that if
53
 * PNG_USE_READ_MACROS is set the library will not use them internally,
54
 * but the APIs will still be available externally.
55
 *
56
 * The parentheses around "PNGAPI function_name" in the following three
57
 * functions are necessary because they allow the macros to co-exist with
58
 * these (unused but exported) functions.
59
 */
60

61
/* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
62
png_uint_32 (PNGAPI
63
png_get_uint_32)(png_const_bytep buf)
64
{
65
   png_uint_32 uval =
66
       ((png_uint_32)(*(buf    )) << 24) +
67
       ((png_uint_32)(*(buf + 1)) << 16) +
68
       ((png_uint_32)(*(buf + 2)) <<  8) +
69
       ((png_uint_32)(*(buf + 3))      ) ;
70

71
   return uval;
72
}
73

74
/* Grab a signed 32-bit integer from a buffer in big-endian format.  The
75
 * data is stored in the PNG file in two's complement format and there
76
 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
77
 * the following code does a two's complement to native conversion.
78
 */
79
png_int_32 (PNGAPI
80
png_get_int_32)(png_const_bytep buf)
81
{
82
   png_uint_32 uval = png_get_uint_32(buf);
83
   if ((uval & 0x80000000) == 0) /* non-negative */
84
      return (png_int_32)uval;
85

86
   uval = (uval ^ 0xffffffff) + 1;  /* 2's complement: -x = ~x+1 */
87
   if ((uval & 0x80000000) == 0) /* no overflow */
88
      return -(png_int_32)uval;
89
   /* The following has to be safe; this function only gets called on PNG data
90
    * and if we get here that data is invalid.  0 is the most safe value and
91
    * if not then an attacker would surely just generate a PNG with 0 instead.
92
    */
93
   return 0;
94
}
95

96
/* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
97
png_uint_16 (PNGAPI
98
png_get_uint_16)(png_const_bytep buf)
99
{
100
   /* ANSI-C requires an int value to accommodate at least 16 bits so this
101
    * works and allows the compiler not to worry about possible narrowing
102
    * on 32-bit systems.  (Pre-ANSI systems did not make integers smaller
103
    * than 16 bits either.)
104
    */
105
   unsigned int val =
106
       ((unsigned int)(*buf) << 8) +
107
       ((unsigned int)(*(buf + 1)));
108

109
   return (png_uint_16)val;
110
}
111

112
#endif /* READ_INT_FUNCTIONS */
113

114
/* Read and check the PNG file signature */
115
void /* PRIVATE */
116
png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
117
{
118
   size_t num_checked, num_to_check;
119

120
   /* Exit if the user application does not expect a signature. */
121
   if (png_ptr->sig_bytes >= 8)
122
      return;
123

124
   num_checked = png_ptr->sig_bytes;
125
   num_to_check = 8 - num_checked;
126

127
#ifdef PNG_IO_STATE_SUPPORTED
128
   png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
129
#endif
130

131
   /* The signature must be serialized in a single I/O call. */
132
   png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
133
   png_ptr->sig_bytes = 8;
134

135
   if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != 0)
136
   {
137
      if (num_checked < 4 &&
138
          png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4) != 0)
139
         png_error(png_ptr, "Not a PNG file");
140
      else
141
         png_error(png_ptr, "PNG file corrupted by ASCII conversion");
142
   }
143
   if (num_checked < 3)
144
      png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
145
}
146

147
/* This function is called to verify that a chunk name is valid.
148
 * Do this using the bit-whacking approach from contrib/tools/pngfix.c
149
 *
150
 * Copied from libpng 1.7.
151
 */
152
static int
153
check_chunk_name(png_uint_32 name)
154
{
155
   png_uint_32 t;
156

157
   /* Remove bit 5 from all but the reserved byte; this means
158
    * every 8-bit unit must be in the range 65-90 to be valid.
159
    * So bit 5 must be zero, bit 6 must be set and bit 7 zero.
160
    */
161
   name &= ~PNG_U32(32,32,0,32);
162
   t = (name & ~0x1f1f1f1fU) ^ 0x40404040U;
163

164
   /* Subtract 65 for each 8-bit quantity, this must not
165
    * overflow and each byte must then be in the range 0-25.
166
    */
167
   name -= PNG_U32(65,65,65,65);
168
   t |= name;
169

170
   /* Subtract 26, handling the overflow which should set the
171
    * top three bits of each byte.
172
    */
173
   name -= PNG_U32(25,25,25,26);
174
   t |= ~name;
175

176
   return (t & 0xe0e0e0e0U) == 0U;
177
}
178

179
/* Read the chunk header (length + type name).
180
 * Put the type name into png_ptr->chunk_name, and return the length.
181
 */
182
png_uint_32 /* PRIVATE */
183
png_read_chunk_header(png_structrp png_ptr)
184
{
185
   png_byte buf[8];
186
   png_uint_32 chunk_name, length;
187

188
#ifdef PNG_IO_STATE_SUPPORTED
189
   png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
190
#endif
191

192
   /* Read the length and the chunk name.  png_struct::chunk_name is immediately
193
    * updated even if they are detectably wrong.  This aids error message
194
    * handling by allowing png_chunk_error to be used.
195
    */
196
   png_read_data(png_ptr, buf, 8);
197
   length = png_get_uint_31(png_ptr, buf);
198
   png_ptr->chunk_name = chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
199

200
   /* Reset the crc and run it over the chunk name. */
201
   png_reset_crc(png_ptr);
202
   png_calculate_crc(png_ptr, buf + 4, 4);
203

204
   png_debug2(0, "Reading chunk typeid = 0x%lx, length = %lu",
205
       (unsigned long)png_ptr->chunk_name, (unsigned long)length);
206

207
   /* Sanity check the length (first by <= 0x80) and the chunk name.  An error
208
    * here indicates a broken stream and libpng has no recovery from this.
209
    */
210
   if (buf[0] >= 0x80U)
211
      png_chunk_error(png_ptr, "bad header (invalid length)");
212

213
   /* Check to see if chunk name is valid. */
214
   if (!check_chunk_name(chunk_name))
215
      png_chunk_error(png_ptr, "bad header (invalid type)");
216

217
#ifdef PNG_IO_STATE_SUPPORTED
218
   png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
219
#endif
220

221
   return length;
222
}
223

224
/* Read data, and (optionally) run it through the CRC. */
225
void /* PRIVATE */
226
png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
227
{
228
   if (png_ptr == NULL)
229
      return;
230

231
   png_read_data(png_ptr, buf, length);
232
   png_calculate_crc(png_ptr, buf, length);
233
}
234

235
/* Compare the CRC stored in the PNG file with that calculated by libpng from
236
 * the data it has read thus far.
237
 */
238
static int
239
png_crc_error(png_structrp png_ptr, int handle_as_ancillary)
240
{
241
   png_byte crc_bytes[4];
242
   png_uint_32 crc;
243
   int need_crc = 1;
244

245
   /* There are four flags two for ancillary and two for critical chunks.  The
246
    * default setting of these flags is all zero.
247
    *
248
    * PNG_FLAG_CRC_ANCILLARY_USE
249
    * PNG_FLAG_CRC_ANCILLARY_NOWARN
250
    *  USE+NOWARN: no CRC calculation (implemented here), else;
251
    *  NOWARN:     png_chunk_error on error (implemented in png_crc_finish)
252
    *  else:       png_chunk_warning on error (implemented in png_crc_finish)
253
    *              This is the default.
254
    *
255
    *    I.e. NOWARN without USE produces png_chunk_error.  The default setting
256
    *    where neither are set does the same thing.
257
    *
258
    * PNG_FLAG_CRC_CRITICAL_USE
259
    * PNG_FLAG_CRC_CRITICAL_IGNORE
260
    *  IGNORE: no CRC calculation (implemented here), else;
261
    *  USE:    png_chunk_warning on error (implemented in png_crc_finish)
262
    *  else:   png_chunk_error on error (implemented in png_crc_finish)
263
    *          This is the default.
264
    *
265
    * This arose because of original mis-implementation and has persisted for
266
    * compatibility reasons.
267
    *
268
    * TODO: the flag names are internal so maybe this can be changed to
269
    * something comprehensible.
270
    */
271
   if (handle_as_ancillary || PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
272
   {
273
      if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
274
          (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
275
         need_crc = 0;
276
   }
277

278
   else /* critical */
279
   {
280
      if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
281
         need_crc = 0;
282
   }
283

284
#ifdef PNG_IO_STATE_SUPPORTED
285
   png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
286
#endif
287

288
   /* The chunk CRC must be serialized in a single I/O call. */
289
   png_read_data(png_ptr, crc_bytes, 4);
290

291
   if (need_crc != 0)
292
   {
293
      crc = png_get_uint_32(crc_bytes);
294
      return crc != png_ptr->crc;
295
   }
296

297
   else
298
      return 0;
299
}
300

301
/* Optionally skip data and then check the CRC.  Depending on whether we
302
 * are reading an ancillary or critical chunk, and how the program has set
303
 * things up, we may calculate the CRC on the data and print a message.
304
 * Returns '1' if there was a CRC error, '0' otherwise.
305
 *
306
 * There is one public version which is used in most places and another which
307
 * takes the value for the 'critical' flag to check.  This allows PLTE and IEND
308
 * handling code to ignore the CRC error and removes some confusing code
309
 * duplication.
310
 */
311
static int
312
png_crc_finish_critical(png_structrp png_ptr, png_uint_32 skip,
313
      int handle_as_ancillary)
314
{
315
   /* The size of the local buffer for inflate is a good guess as to a
316
    * reasonable size to use for buffering reads from the application.
317
    */
318
   while (skip > 0)
319
   {
320
      png_uint_32 len;
321
      png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
322

323
      len = (sizeof tmpbuf);
324
      if (len > skip)
325
         len = skip;
326
      skip -= len;
327

328
      png_crc_read(png_ptr, tmpbuf, len);
329
   }
330

331
   /* If 'handle_as_ancillary' has been requested and this is a critical chunk
332
    * but PNG_FLAG_CRC_CRITICAL_IGNORE was set then png_read_crc did not, in
333
    * fact, calculate the CRC so the ANCILLARY settings should not be used
334
    * instead.
335
    */
336
   if (handle_as_ancillary &&
337
       (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
338
      handle_as_ancillary = 0;
339

340
   /* TODO: this might be more comprehensible if png_crc_error was inlined here.
341
    */
342
   if (png_crc_error(png_ptr, handle_as_ancillary) != 0)
343
   {
344
      /* See above for the explanation of how the flags work. */
345
      if (handle_as_ancillary || PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0 ?
346
          (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0 :
347
          (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE) != 0)
348
         png_chunk_warning(png_ptr, "CRC error");
349

350
      else
351
         png_chunk_error(png_ptr, "CRC error");
352

353
      return 1;
354
   }
355

356
   return 0;
357
}
358

359
int /* PRIVATE */
360
png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
361
{
362
   return png_crc_finish_critical(png_ptr, skip, 0/*critical handling*/);
363
}
364

365
#if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\
366
    defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\
367
    defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\
368
    defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_READ_eXIf_SUPPORTED) ||\
369
    defined(PNG_SEQUENTIAL_READ_SUPPORTED)
370
/* Manage the read buffer; this simply reallocates the buffer if it is not small
371
 * enough (or if it is not allocated).  The routine returns a pointer to the
372
 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else
373
 * it will call png_error on failure.
374
 */
375
static png_bytep
376
png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size)
377
{
378
   png_bytep buffer = png_ptr->read_buffer;
379

380
   if (new_size > png_chunk_max(png_ptr)) return NULL;
381

382
   if (buffer != NULL && new_size > png_ptr->read_buffer_size)
383
   {
384
      png_ptr->read_buffer = NULL;
385
      png_ptr->read_buffer_size = 0;
386
      png_free(png_ptr, buffer);
387
      buffer = NULL;
388
   }
389

390
   if (buffer == NULL)
391
   {
392
      buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
393

394
      if (buffer != NULL)
395
      {
396
#        ifndef PNG_NO_MEMZERO /* for detecting UIM bugs **only** */
397
            memset(buffer, 0, new_size); /* just in case */
398
#        endif
399
         png_ptr->read_buffer = buffer;
400
         png_ptr->read_buffer_size = new_size;
401
      }
402
   }
403

404
   return buffer;
405
}
406
#endif /* READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|eXIf|SEQUENTIAL_READ */
407

408
/* png_inflate_claim: claim the zstream for some nefarious purpose that involves
409
 * decompression.  Returns Z_OK on success, else a zlib error code.  It checks
410
 * the owner but, in final release builds, just issues a warning if some other
411
 * chunk apparently owns the stream.  Prior to release it does a png_error.
412
 */
413
static int
414
png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
415
{
416
   if (png_ptr->zowner != 0)
417
   {
418
      char msg[64];
419

420
      PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
421
      /* So the message that results is "<chunk> using zstream"; this is an
422
       * internal error, but is very useful for debugging.  i18n requirements
423
       * are minimal.
424
       */
425
      (void)png_safecat(msg, (sizeof msg), 4, " using zstream");
426
#if PNG_RELEASE_BUILD
427
      png_chunk_warning(png_ptr, msg);
428
      png_ptr->zowner = 0;
429
#else
430
      png_chunk_error(png_ptr, msg);
431
#endif
432
   }
433

434
   /* Implementation note: unlike 'png_deflate_claim' this internal function
435
    * does not take the size of the data as an argument.  Some efficiency could
436
    * be gained by using this when it is known *if* the zlib stream itself does
437
    * not record the number; however, this is an illusion: the original writer
438
    * of the PNG may have selected a lower window size, and we really must
439
    * follow that because, for systems with with limited capabilities, we
440
    * would otherwise reject the application's attempts to use a smaller window
441
    * size (zlib doesn't have an interface to say "this or lower"!).
442
    *
443
    * inflateReset2 was added to zlib 1.2.4; before this the window could not be
444
    * reset, therefore it is necessary to always allocate the maximum window
445
    * size with earlier zlibs just in case later compressed chunks need it.
446
    */
447
   {
448
      int ret; /* zlib return code */
449
#if ZLIB_VERNUM >= 0x1240
450
      int window_bits = 0;
451

452
# if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW)
453
      if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==
454
          PNG_OPTION_ON)
455
      {
456
         window_bits = 15;
457
         png_ptr->zstream_start = 0; /* fixed window size */
458
      }
459

460
      else
461
      {
462
         png_ptr->zstream_start = 1;
463
      }
464
# endif
465

466
#endif /* ZLIB_VERNUM >= 0x1240 */
467

468
      /* Set this for safety, just in case the previous owner left pointers to
469
       * memory allocations.
470
       */
471
      png_ptr->zstream.next_in = NULL;
472
      png_ptr->zstream.avail_in = 0;
473
      png_ptr->zstream.next_out = NULL;
474
      png_ptr->zstream.avail_out = 0;
475

476
      if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0)
477
      {
478
#if ZLIB_VERNUM >= 0x1240
479
         ret = inflateReset2(&png_ptr->zstream, window_bits);
480
#else
481
         ret = inflateReset(&png_ptr->zstream);
482
#endif
483
      }
484

485
      else
486
      {
487
#if ZLIB_VERNUM >= 0x1240
488
         ret = inflateInit2(&png_ptr->zstream, window_bits);
489
#else
490
         ret = inflateInit(&png_ptr->zstream);
491
#endif
492

493
         if (ret == Z_OK)
494
            png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
495
      }
496

497
#ifdef PNG_DISABLE_ADLER32_CHECK_SUPPORTED
498
      if (((png_ptr->options >> PNG_IGNORE_ADLER32) & 3) == PNG_OPTION_ON)
499
         /* Turn off validation of the ADLER32 checksum in IDAT chunks */
500
         ret = inflateValidate(&png_ptr->zstream, 0);
501
#endif
502

503
      if (ret == Z_OK)
504
         png_ptr->zowner = owner;
505

506
      else
507
         png_zstream_error(png_ptr, ret);
508

509
      return ret;
510
   }
511

512
#ifdef window_bits
513
# undef window_bits
514
#endif
515
}
516

517
#if ZLIB_VERNUM >= 0x1240
518
/* Handle the start of the inflate stream if we called inflateInit2(strm,0);
519
 * in this case some zlib versions skip validation of the CINFO field and, in
520
 * certain circumstances, libpng may end up displaying an invalid image, in
521
 * contrast to implementations that call zlib in the normal way (e.g. libpng
522
 * 1.5).
523
 */
524
int /* PRIVATE */
525
png_zlib_inflate(png_structrp png_ptr, int flush)
526
{
527
   if (png_ptr->zstream_start && png_ptr->zstream.avail_in > 0)
528
   {
529
      if ((*png_ptr->zstream.next_in >> 4) > 7)
530
      {
531
         png_ptr->zstream.msg = "invalid window size (libpng)";
532
         return Z_DATA_ERROR;
533
      }
534

535
      png_ptr->zstream_start = 0;
536
   }
537

538
   return inflate(&png_ptr->zstream, flush);
539
}
540
#endif /* Zlib >= 1.2.4 */
541

542
#ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
543
#if defined(PNG_READ_zTXt_SUPPORTED) || defined (PNG_READ_iTXt_SUPPORTED)
544
/* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
545
 * allow the caller to do multiple calls if required.  If the 'finish' flag is
546
 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
547
 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
548
 * Z_OK or Z_STREAM_END will be returned on success.
549
 *
550
 * The input and output sizes are updated to the actual amounts of data consumed
551
 * or written, not the amount available (as in a z_stream).  The data pointers
552
 * are not changed, so the next input is (data+input_size) and the next
553
 * available output is (output+output_size).
554
 */
555
static int
556
png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
557
    /* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr,
558
    /* OUTPUT: */ png_bytep output, png_alloc_size_t *output_size_ptr)
559
{
560
   if (png_ptr->zowner == owner) /* Else not claimed */
561
   {
562
      int ret;
563
      png_alloc_size_t avail_out = *output_size_ptr;
564
      png_uint_32 avail_in = *input_size_ptr;
565

566
      /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
567
       * can't even necessarily handle 65536 bytes) because the type uInt is
568
       * "16 bits or more".  Consequently it is necessary to chunk the input to
569
       * zlib.  This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
570
       * maximum value that can be stored in a uInt.)  It is possible to set
571
       * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
572
       * a performance advantage, because it reduces the amount of data accessed
573
       * at each step and that may give the OS more time to page it in.
574
       */
575
      png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
576
      /* avail_in and avail_out are set below from 'size' */
577
      png_ptr->zstream.avail_in = 0;
578
      png_ptr->zstream.avail_out = 0;
579

580
      /* Read directly into the output if it is available (this is set to
581
       * a local buffer below if output is NULL).
582
       */
583
      if (output != NULL)
584
         png_ptr->zstream.next_out = output;
585

586
      do
587
      {
588
         uInt avail;
589
         Byte local_buffer[PNG_INFLATE_BUF_SIZE];
590

591
         /* zlib INPUT BUFFER */
592
         /* The setting of 'avail_in' used to be outside the loop; by setting it
593
          * inside it is possible to chunk the input to zlib and simply rely on
594
          * zlib to advance the 'next_in' pointer.  This allows arbitrary
595
          * amounts of data to be passed through zlib at the unavoidable cost of
596
          * requiring a window save (memcpy of up to 32768 output bytes)
597
          * every ZLIB_IO_MAX input bytes.
598
          */
599
         avail_in += png_ptr->zstream.avail_in; /* not consumed last time */
600

601
         avail = ZLIB_IO_MAX;
602

603
         if (avail_in < avail)
604
            avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */
605

606
         avail_in -= avail;
607
         png_ptr->zstream.avail_in = avail;
608

609
         /* zlib OUTPUT BUFFER */
610
         avail_out += png_ptr->zstream.avail_out; /* not written last time */
611

612
         avail = ZLIB_IO_MAX; /* maximum zlib can process */
613

614
         if (output == NULL)
615
         {
616
            /* Reset the output buffer each time round if output is NULL and
617
             * make available the full buffer, up to 'remaining_space'
618
             */
619
            png_ptr->zstream.next_out = local_buffer;
620
            if ((sizeof local_buffer) < avail)
621
               avail = (sizeof local_buffer);
622
         }
623

624
         if (avail_out < avail)
625
            avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */
626

627
         png_ptr->zstream.avail_out = avail;
628
         avail_out -= avail;
629

630
         /* zlib inflate call */
631
         /* In fact 'avail_out' may be 0 at this point, that happens at the end
632
          * of the read when the final LZ end code was not passed at the end of
633
          * the previous chunk of input data.  Tell zlib if we have reached the
634
          * end of the output buffer.
635
          */
636
         ret = PNG_INFLATE(png_ptr, avail_out > 0 ? Z_NO_FLUSH :
637
             (finish ? Z_FINISH : Z_SYNC_FLUSH));
638
      } while (ret == Z_OK);
639

640
      /* For safety kill the local buffer pointer now */
641
      if (output == NULL)
642
         png_ptr->zstream.next_out = NULL;
643

644
      /* Claw back the 'size' and 'remaining_space' byte counts. */
645
      avail_in += png_ptr->zstream.avail_in;
646
      avail_out += png_ptr->zstream.avail_out;
647

648
      /* Update the input and output sizes; the updated values are the amount
649
       * consumed or written, effectively the inverse of what zlib uses.
650
       */
651
      if (avail_out > 0)
652
         *output_size_ptr -= avail_out;
653

654
      if (avail_in > 0)
655
         *input_size_ptr -= avail_in;
656

657
      /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
658
      png_zstream_error(png_ptr, ret);
659
      return ret;
660
   }
661

662
   else
663
   {
664
      /* This is a bad internal error.  The recovery assigns to the zstream msg
665
       * pointer, which is not owned by the caller, but this is safe; it's only
666
       * used on errors!
667
       */
668
      png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
669
      return Z_STREAM_ERROR;
670
   }
671
}
672

673
/*
674
 * Decompress trailing data in a chunk.  The assumption is that read_buffer
675
 * points at an allocated area holding the contents of a chunk with a
676
 * trailing compressed part.  What we get back is an allocated area
677
 * holding the original prefix part and an uncompressed version of the
678
 * trailing part (the malloc area passed in is freed).
679
 */
680
static int
681
png_decompress_chunk(png_structrp png_ptr,
682
    png_uint_32 chunklength, png_uint_32 prefix_size,
683
    png_alloc_size_t *newlength /* must be initialized to the maximum! */,
684
    int terminate /*add a '\0' to the end of the uncompressed data*/)
685
{
686
   /* TODO: implement different limits for different types of chunk.
687
    *
688
    * The caller supplies *newlength set to the maximum length of the
689
    * uncompressed data, but this routine allocates space for the prefix and
690
    * maybe a '\0' terminator too.  We have to assume that 'prefix_size' is
691
    * limited only by the maximum chunk size.
692
    */
693
   png_alloc_size_t limit = png_chunk_max(png_ptr);
694

695
   if (limit >= prefix_size + (terminate != 0))
696
   {
697
      int ret;
698

699
      limit -= prefix_size + (terminate != 0);
700

701
      if (limit < *newlength)
702
         *newlength = limit;
703

704
      /* Now try to claim the stream. */
705
      ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
706

707
      if (ret == Z_OK)
708
      {
709
         png_uint_32 lzsize = chunklength - prefix_size;
710

711
         ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
712
             /* input: */ png_ptr->read_buffer + prefix_size, &lzsize,
713
             /* output: */ NULL, newlength);
714

715
         if (ret == Z_STREAM_END)
716
         {
717
            /* Use 'inflateReset' here, not 'inflateReset2' because this
718
             * preserves the previously decided window size (otherwise it would
719
             * be necessary to store the previous window size.)  In practice
720
             * this doesn't matter anyway, because png_inflate will call inflate
721
             * with Z_FINISH in almost all cases, so the window will not be
722
             * maintained.
723
             */
724
            if (inflateReset(&png_ptr->zstream) == Z_OK)
725
            {
726
               /* Because of the limit checks above we know that the new,
727
                * expanded, size will fit in a size_t (let alone an
728
                * png_alloc_size_t).  Use png_malloc_base here to avoid an
729
                * extra OOM message.
730
                */
731
               png_alloc_size_t new_size = *newlength;
732
               png_alloc_size_t buffer_size = prefix_size + new_size +
733
                   (terminate != 0);
734
               png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
735
                   buffer_size));
736

737
               if (text != NULL)
738
               {
739
                  memset(text, 0, buffer_size);
740

741
                  ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
742
                      png_ptr->read_buffer + prefix_size, &lzsize,
743
                      text + prefix_size, newlength);
744

745
                  if (ret == Z_STREAM_END)
746
                  {
747
                     if (new_size == *newlength)
748
                     {
749
                        if (terminate != 0)
750
                           text[prefix_size + *newlength] = 0;
751

752
                        if (prefix_size > 0)
753
                           memcpy(text, png_ptr->read_buffer, prefix_size);
754

755
                        {
756
                           png_bytep old_ptr = png_ptr->read_buffer;
757

758
                           png_ptr->read_buffer = text;
759
                           png_ptr->read_buffer_size = buffer_size;
760
                           text = old_ptr; /* freed below */
761
                        }
762
                     }
763

764
                     else
765
                     {
766
                        /* The size changed on the second read, there can be no
767
                         * guarantee that anything is correct at this point.
768
                         * The 'msg' pointer has been set to "unexpected end of
769
                         * LZ stream", which is fine, but return an error code
770
                         * that the caller won't accept.
771
                         */
772
                        ret = PNG_UNEXPECTED_ZLIB_RETURN;
773
                     }
774
                  }
775

776
                  else if (ret == Z_OK)
777
                     ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */
778

779
                  /* Free the text pointer (this is the old read_buffer on
780
                   * success)
781
                   */
782
                  png_free(png_ptr, text);
783

784
                  /* This really is very benign, but it's still an error because
785
                   * the extra space may otherwise be used as a Trojan Horse.
786
                   */
787
                  if (ret == Z_STREAM_END &&
788
                      chunklength - prefix_size != lzsize)
789
                     png_chunk_benign_error(png_ptr, "extra compressed data");
790
               }
791

792
               else
793
               {
794
                  /* Out of memory allocating the buffer */
795
                  ret = Z_MEM_ERROR;
796
                  png_zstream_error(png_ptr, Z_MEM_ERROR);
797
               }
798
            }
799

800
            else
801
            {
802
               /* inflateReset failed, store the error message */
803
               png_zstream_error(png_ptr, ret);
804
               ret = PNG_UNEXPECTED_ZLIB_RETURN;
805
            }
806
         }
807

808
         else if (ret == Z_OK)
809
            ret = PNG_UNEXPECTED_ZLIB_RETURN;
810

811
         /* Release the claimed stream */
812
         png_ptr->zowner = 0;
813
      }
814

815
      else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
816
         ret = PNG_UNEXPECTED_ZLIB_RETURN;
817

818
      return ret;
819
   }
820

821
   else
822
   {
823
      /* Application/configuration limits exceeded */
824
      png_zstream_error(png_ptr, Z_MEM_ERROR);
825
      return Z_MEM_ERROR;
826
   }
827
}
828
#endif /* READ_zTXt || READ_iTXt */
829
#endif /* READ_COMPRESSED_TEXT */
830

831
#ifdef PNG_READ_iCCP_SUPPORTED
832
/* Perform a partial read and decompress, producing 'avail_out' bytes and
833
 * reading from the current chunk as required.
834
 */
835
static int
836
png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
837
    png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
838
    int finish)
839
{
840
   if (png_ptr->zowner == png_ptr->chunk_name)
841
   {
842
      int ret;
843

844
      /* next_in and avail_in must have been initialized by the caller. */
845
      png_ptr->zstream.next_out = next_out;
846
      png_ptr->zstream.avail_out = 0; /* set in the loop */
847

848
      do
849
      {
850
         if (png_ptr->zstream.avail_in == 0)
851
         {
852
            if (read_size > *chunk_bytes)
853
               read_size = (uInt)*chunk_bytes;
854
            *chunk_bytes -= read_size;
855

856
            if (read_size > 0)
857
               png_crc_read(png_ptr, read_buffer, read_size);
858

859
            png_ptr->zstream.next_in = read_buffer;
860
            png_ptr->zstream.avail_in = read_size;
861
         }
862

863
         if (png_ptr->zstream.avail_out == 0)
864
         {
865
            uInt avail = ZLIB_IO_MAX;
866
            if (avail > *out_size)
867
               avail = (uInt)*out_size;
868
            *out_size -= avail;
869

870
            png_ptr->zstream.avail_out = avail;
871
         }
872

873
         /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
874
          * the available output is produced; this allows reading of truncated
875
          * streams.
876
          */
877
         ret = PNG_INFLATE(png_ptr, *chunk_bytes > 0 ?
878
             Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
879
      }
880
      while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));
881

882
      *out_size += png_ptr->zstream.avail_out;
883
      png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */
884

885
      /* Ensure the error message pointer is always set: */
886
      png_zstream_error(png_ptr, ret);
887
      return ret;
888
   }
889

890
   else
891
   {
892
      png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
893
      return Z_STREAM_ERROR;
894
   }
895
}
896
#endif /* READ_iCCP */
897

898
/* CHUNK HANDLING */
899
/* Read and check the IDHR chunk */
900
static png_handle_result_code
901
png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
902
{
903
   png_byte buf[13];
904
   png_uint_32 width, height;
905
   int bit_depth, color_type, compression_type, filter_type;
906
   int interlace_type;
907

908
   png_debug(1, "in png_handle_IHDR");
909

910
   /* Length and position are checked by the caller. */
911

912
   png_ptr->mode |= PNG_HAVE_IHDR;
913

914
   png_crc_read(png_ptr, buf, 13);
915
   png_crc_finish(png_ptr, 0);
916

917
   width = png_get_uint_31(png_ptr, buf);
918
   height = png_get_uint_31(png_ptr, buf + 4);
919
   bit_depth = buf[8];
920
   color_type = buf[9];
921
   compression_type = buf[10];
922
   filter_type = buf[11];
923
   interlace_type = buf[12];
924

925
   /* Set internal variables */
926
   png_ptr->width = width;
927
   png_ptr->height = height;
928
   png_ptr->bit_depth = (png_byte)bit_depth;
929
   png_ptr->interlaced = (png_byte)interlace_type;
930
   png_ptr->color_type = (png_byte)color_type;
931
#ifdef PNG_MNG_FEATURES_SUPPORTED
932
   png_ptr->filter_type = (png_byte)filter_type;
933
#endif
934
   png_ptr->compression_type = (png_byte)compression_type;
935

936
   /* Find number of channels */
937
   switch (png_ptr->color_type)
938
   {
939
      default: /* invalid, png_set_IHDR calls png_error */
940
      case PNG_COLOR_TYPE_GRAY:
941
      case PNG_COLOR_TYPE_PALETTE:
942
         png_ptr->channels = 1;
943
         break;
944

945
      case PNG_COLOR_TYPE_RGB:
946
         png_ptr->channels = 3;
947
         break;
948

949
      case PNG_COLOR_TYPE_GRAY_ALPHA:
950
         png_ptr->channels = 2;
951
         break;
952

953
      case PNG_COLOR_TYPE_RGB_ALPHA:
954
         png_ptr->channels = 4;
955
         break;
956
   }
957

958
   /* Set up other useful info */
959
   png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels);
960
   png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
961
   png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
962
   png_debug1(3, "channels = %d", png_ptr->channels);
963
   png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
964

965
   /* Rely on png_set_IHDR to completely validate the data and call png_error if
966
    * it's wrong.
967
    */
968
   png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
969
       color_type, interlace_type, compression_type, filter_type);
970

971
   return handled_ok;
972
   PNG_UNUSED(length)
973
}
974

975
/* Read and check the palette */
976
/* TODO: there are several obvious errors in this code when handling
977
 * out-of-place chunks and there is much over-complexity caused by trying to
978
 * patch up the problems.
979
 */
980
static png_handle_result_code
981
png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
982
{
983
   png_const_charp errmsg = NULL;
984

985
   png_debug(1, "in png_handle_PLTE");
986

987
   /* 1.6.47: consistency.  This used to be especially treated as a critical
988
    * error even in an image which is not colour mapped, there isn't a good
989
    * justification for treating some errors here one way and others another so
990
    * everything uses the same logic.
991
    */
992
   if ((png_ptr->mode & PNG_HAVE_PLTE) != 0)
993
      errmsg = "duplicate";
994

995
   else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
996
      errmsg = "out of place";
997

998
   else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0)
999
      errmsg = "ignored in grayscale PNG";
1000

1001
   else if (length > 3*PNG_MAX_PALETTE_LENGTH || (length % 3) != 0)
1002
      errmsg = "invalid";
1003

1004
   /* This drops PLTE in favour of tRNS or bKGD because both of those chunks
1005
    * can have an effect on the rendering of the image whereas PLTE only matters
1006
    * in the case of an 8-bit display with a decoder which controls the palette.
1007
    *
1008
    * The alternative here is to ignore the error and store the palette anyway;
1009
    * destroying the tRNS will definately cause problems.
1010
    *
1011
    * NOTE: the case of PNG_COLOR_TYPE_PALETTE need not be considered because
1012
    * the png_handle_ routines for the three 'after PLTE' chunks tRNS, bKGD and
1013
    * hIST all check for a preceding PLTE in these cases.
1014
    */
1015
   else if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE &&
1016
            (png_has_chunk(png_ptr, tRNS) || png_has_chunk(png_ptr, bKGD)))
1017
      errmsg = "out of place";
1018

1019
   else
1020
   {
1021
      /* If the palette has 256 or fewer entries but is too large for the bit
1022
       * depth we don't issue an error to preserve the behavior of previous
1023
       * libpng versions. We silently truncate the unused extra palette entries
1024
       * here.
1025
       */
1026
      const unsigned max_palette_length =
1027
         (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
1028
            1U << png_ptr->bit_depth : PNG_MAX_PALETTE_LENGTH;
1029

1030
      /* The cast is safe because 'length' is less than
1031
       * 3*PNG_MAX_PALETTE_LENGTH
1032
       */
1033
      const unsigned num = (length > 3U*max_palette_length) ?
1034
         max_palette_length : (unsigned)length / 3U;
1035

1036
      unsigned i, j;
1037
      png_byte buf[3*PNG_MAX_PALETTE_LENGTH];
1038
      png_color palette[PNG_MAX_PALETTE_LENGTH];
1039

1040
      /* Read the chunk into the buffer then read to the end of the chunk. */
1041
      png_crc_read(png_ptr, buf, num*3U);
1042
      png_crc_finish_critical(png_ptr, length - 3U*num,
1043
            /* Handle as ancillary if PLTE is optional: */
1044
            png_ptr->color_type != PNG_COLOR_TYPE_PALETTE);
1045

1046
      for (i = 0U, j = 0U; i < num; i++)
1047
      {
1048
         palette[i].red = buf[j++];
1049
         palette[i].green = buf[j++];
1050
         palette[i].blue = buf[j++];
1051
      }
1052

1053
      /* A valid PLTE chunk has been read */
1054
      png_ptr->mode |= PNG_HAVE_PLTE;
1055

1056
      /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to
1057
       * its own copy of the palette.  This has the side effect that when
1058
       * png_start_row is called (this happens after any call to
1059
       * png_read_update_info) the info_ptr palette gets changed.  This is
1060
       * extremely unexpected and confusing.
1061
       *
1062
       * REVIEW: there have been consistent bugs in the past about gamma and
1063
       * similar transforms to colour mapped images being useless because the
1064
       * modified palette cannot be accessed because of the above.
1065
       *
1066
       * CONSIDER: Fix this by not sharing the palette in this way.  But does
1067
       * this completely fix the problem?
1068
       */
1069
      png_set_PLTE(png_ptr, info_ptr, palette, num);
1070
      return handled_ok;
1071
   }
1072

1073
   /* Here on error: errmsg is non NULL. */
1074
   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1075
   {
1076
      png_crc_finish(png_ptr, length);
1077
      png_chunk_error(png_ptr, errmsg);
1078
   }
1079

1080
   else /* not critical to this image */
1081
   {
1082
      png_crc_finish_critical(png_ptr, length, 1/*handle as ancillary*/);
1083
      png_chunk_benign_error(png_ptr, errmsg);
1084
   }
1085

1086
   /* Because PNG_UNUSED(errmsg) does not work if all the uses are compiled out
1087
    * (this does happen).
1088
    */
1089
   return errmsg != NULL ? handled_error : handled_error;
1090
}
1091

1092
/* On read the IDAT chunk is always handled specially, even if marked for
1093
 * unknown handling (this is allowed), so:
1094
 */
1095
#define png_handle_IDAT NULL
1096

1097
static png_handle_result_code
1098
png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1099
{
1100
   png_debug(1, "in png_handle_IEND");
1101

1102
   png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
1103

1104
   if (length != 0)
1105
      png_chunk_benign_error(png_ptr, "invalid");
1106

1107
   png_crc_finish_critical(png_ptr, length, 1/*handle as ancillary*/);
1108

1109
   return handled_ok;
1110
   PNG_UNUSED(info_ptr)
1111
}
1112

1113
#ifdef PNG_READ_gAMA_SUPPORTED
1114
static png_handle_result_code
1115
png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1116
{
1117
   png_uint_32 ugamma;
1118
   png_byte buf[4];
1119

1120
   png_debug(1, "in png_handle_gAMA");
1121

1122
   png_crc_read(png_ptr, buf, 4);
1123

1124
   if (png_crc_finish(png_ptr, 0) != 0)
1125
      return handled_error;
1126

1127
   ugamma = png_get_uint_32(buf);
1128

1129
   if (ugamma > PNG_UINT_31_MAX)
1130
   {
1131
      png_chunk_benign_error(png_ptr, "invalid");
1132
      return handled_error;
1133
   }
1134

1135
   png_set_gAMA_fixed(png_ptr, info_ptr, (png_fixed_point)/*SAFE*/ugamma);
1136

1137
#ifdef PNG_READ_GAMMA_SUPPORTED
1138
      /* PNGv3: chunk precedence for gamma is cICP, [iCCP], sRGB, gAMA.  gAMA is
1139
       * at the end of the chain so simply check for an unset value.
1140
       */
1141
      if (png_ptr->chunk_gamma == 0)
1142
         png_ptr->chunk_gamma = (png_fixed_point)/*SAFE*/ugamma;
1143
#endif /*READ_GAMMA*/
1144

1145
   return handled_ok;
1146
   PNG_UNUSED(length)
1147
}
1148
#else
1149
#  define png_handle_gAMA NULL
1150
#endif
1151

1152
#ifdef PNG_READ_sBIT_SUPPORTED
1153
static png_handle_result_code /* PRIVATE */
1154
png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1155
{
1156
   unsigned int truelen, i;
1157
   png_byte sample_depth;
1158
   png_byte buf[4];
1159

1160
   png_debug(1, "in png_handle_sBIT");
1161

1162
   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1163
   {
1164
      truelen = 3;
1165
      sample_depth = 8;
1166
   }
1167

1168
   else
1169
   {
1170
      truelen = png_ptr->channels;
1171
      sample_depth = png_ptr->bit_depth;
1172
   }
1173

1174
   if (length != truelen)
1175
   {
1176
      png_crc_finish(png_ptr, length);
1177
      png_chunk_benign_error(png_ptr, "bad length");
1178
      return handled_error;
1179
   }
1180

1181
   buf[0] = buf[1] = buf[2] = buf[3] = sample_depth;
1182
   png_crc_read(png_ptr, buf, truelen);
1183

1184
   if (png_crc_finish(png_ptr, 0) != 0)
1185
      return handled_error;
1186

1187
   for (i=0; i<truelen; ++i)
1188
   {
1189
      if (buf[i] == 0 || buf[i] > sample_depth)
1190
      {
1191
         png_chunk_benign_error(png_ptr, "invalid");
1192
         return handled_error;
1193
      }
1194
   }
1195

1196
   if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
1197
   {
1198
      png_ptr->sig_bit.red = buf[0];
1199
      png_ptr->sig_bit.green = buf[1];
1200
      png_ptr->sig_bit.blue = buf[2];
1201
      png_ptr->sig_bit.alpha = buf[3];
1202
   }
1203

1204
   else /* grayscale */
1205
   {
1206
      png_ptr->sig_bit.gray = buf[0];
1207
      png_ptr->sig_bit.red = buf[0];
1208
      png_ptr->sig_bit.green = buf[0];
1209
      png_ptr->sig_bit.blue = buf[0];
1210
      png_ptr->sig_bit.alpha = buf[1];
1211
   }
1212

1213
   png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
1214
   return handled_ok;
1215
}
1216
#else
1217
#  define png_handle_sBIT NULL
1218
#endif
1219

1220
#ifdef PNG_READ_cHRM_SUPPORTED
1221
static png_int_32
1222
png_get_int_32_checked(png_const_bytep buf, int *error)
1223
{
1224
   png_uint_32 uval = png_get_uint_32(buf);
1225
   if ((uval & 0x80000000) == 0) /* non-negative */
1226
      return (png_int_32)uval;
1227

1228
   uval = (uval ^ 0xffffffff) + 1;  /* 2's complement: -x = ~x+1 */
1229
   if ((uval & 0x80000000) == 0) /* no overflow */
1230
      return -(png_int_32)uval;
1231

1232
   /* This version of png_get_int_32 has a way of returning the error to the
1233
    * caller, so:
1234
    */
1235
   *error = 1;
1236
   return 0; /* Safe */
1237
}
1238

1239
static png_handle_result_code /* PRIVATE */
1240
png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1241
{
1242
   int error = 0;
1243
   png_xy xy;
1244
   png_byte buf[32];
1245

1246
   png_debug(1, "in png_handle_cHRM");
1247

1248
   png_crc_read(png_ptr, buf, 32);
1249

1250
   if (png_crc_finish(png_ptr, 0) != 0)
1251
      return handled_error;
1252

1253
   xy.whitex = png_get_int_32_checked(buf +  0, &error);
1254
   xy.whitey = png_get_int_32_checked(buf +  4, &error);
1255
   xy.redx   = png_get_int_32_checked(buf +  8, &error);
1256
   xy.redy   = png_get_int_32_checked(buf + 12, &error);
1257
   xy.greenx = png_get_int_32_checked(buf + 16, &error);
1258
   xy.greeny = png_get_int_32_checked(buf + 20, &error);
1259
   xy.bluex  = png_get_int_32_checked(buf + 24, &error);
1260
   xy.bluey  = png_get_int_32_checked(buf + 28, &error);
1261

1262
   if (error)
1263
   {
1264
      png_chunk_benign_error(png_ptr, "invalid");
1265
      return handled_error;
1266
   }
1267

1268
   /* png_set_cHRM may complain about some of the values but this doesn't matter
1269
    * because it was a cHRM and it did have vaguely (if, perhaps, ridiculous)
1270
    * values.  Ridiculousity will be checked if the values are used later.
1271
    */
1272
   png_set_cHRM_fixed(png_ptr, info_ptr, xy.whitex, xy.whitey, xy.redx, xy.redy,
1273
         xy.greenx, xy.greeny, xy.bluex, xy.bluey);
1274

1275
   /* We only use 'chromaticities' for RGB to gray */
1276
#  ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
1277
      /* There is no need to check sRGB here, cICP is NYI and iCCP is not
1278
       * supported so just check mDCV.
1279
       */
1280
      if (!png_has_chunk(png_ptr, mDCV))
1281
      {
1282
         png_ptr->chromaticities = xy;
1283
      }
1284
#  endif /* READ_RGB_TO_GRAY */
1285

1286
   return handled_ok;
1287
   PNG_UNUSED(length)
1288
}
1289
#else
1290
#  define png_handle_cHRM NULL
1291
#endif
1292

1293
#ifdef PNG_READ_sRGB_SUPPORTED
1294
static png_handle_result_code /* PRIVATE */
1295
png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1296
{
1297
   png_byte intent;
1298

1299
   png_debug(1, "in png_handle_sRGB");
1300

1301
   png_crc_read(png_ptr, &intent, 1);
1302

1303
   if (png_crc_finish(png_ptr, 0) != 0)
1304
      return handled_error;
1305

1306
   /* This checks the range of the "rendering intent" because it is specified in
1307
    * the PNG spec itself; the "reserved" values will result in the chunk not
1308
    * being accepted, just as they do with the various "reserved" values in
1309
    * IHDR.
1310
    */
1311
   if (intent > 3/*PNGv3 spec*/)
1312
   {
1313
      png_chunk_benign_error(png_ptr, "invalid");
1314
      return handled_error;
1315
   }
1316

1317
   png_set_sRGB(png_ptr, info_ptr, intent);
1318
   /* NOTE: png_struct::chromaticities is not set here because the RGB to gray
1319
    * coefficients are known without a need for the chromaticities.
1320
    */
1321

1322
#ifdef PNG_READ_GAMMA_SUPPORTED
1323
      /* PNGv3: chunk precedence for gamma is cICP, [iCCP], sRGB, gAMA.  iCCP is
1324
       * not supported by libpng so the only requirement is to check for cICP
1325
       * setting the gamma (this is NYI, but this check is safe.)
1326
       */
1327
      if (!png_has_chunk(png_ptr, cICP) || png_ptr->chunk_gamma == 0)
1328
         png_ptr->chunk_gamma = PNG_GAMMA_sRGB_INVERSE;
1329
#endif /*READ_GAMMA*/
1330

1331
   return handled_ok;
1332
   PNG_UNUSED(length)
1333
}
1334
#else
1335
#  define png_handle_sRGB NULL
1336
#endif /* READ_sRGB */
1337

1338
#ifdef PNG_READ_iCCP_SUPPORTED
1339
static png_handle_result_code /* PRIVATE */
1340
png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1341
/* Note: this does not properly handle profiles that are > 64K under DOS */
1342
{
1343
   png_const_charp errmsg = NULL; /* error message output, or no error */
1344
   int finished = 0; /* crc checked */
1345

1346
   png_debug(1, "in png_handle_iCCP");
1347

1348
   /* PNGv3: allow PNG files with both sRGB and iCCP because the PNG spec only
1349
    * ever said that there "should" be only one, not "shall" and the PNGv3
1350
    * colour chunk precedence rules give a handling for this case anyway.
1351
    */
1352
   {
1353
      uInt read_length, keyword_length;
1354
      char keyword[81];
1355

1356
      /* Find the keyword; the keyword plus separator and compression method
1357
       * bytes can be at most 81 characters long.
1358
       */
1359
      read_length = 81; /* maximum */
1360
      if (read_length > length)
1361
         read_length = (uInt)/*SAFE*/length;
1362

1363
      png_crc_read(png_ptr, (png_bytep)keyword, read_length);
1364
      length -= read_length;
1365

1366
      if (length < LZ77Min)
1367
      {
1368
         png_crc_finish(png_ptr, length);
1369
         png_chunk_benign_error(png_ptr, "too short");
1370
         return handled_error;
1371
      }
1372

1373
      keyword_length = 0;
1374
      while (keyword_length < 80 && keyword_length < read_length &&
1375
         keyword[keyword_length] != 0)
1376
         ++keyword_length;
1377

1378
      /* TODO: make the keyword checking common */
1379
      if (keyword_length >= 1 && keyword_length <= 79)
1380
      {
1381
         /* We only understand '0' compression - deflate - so if we get a
1382
          * different value we can't safely decode the chunk.
1383
          */
1384
         if (keyword_length+1 < read_length &&
1385
            keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
1386
         {
1387
            read_length -= keyword_length+2;
1388

1389
            if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
1390
            {
1391
               Byte profile_header[132]={0};
1392
               Byte local_buffer[PNG_INFLATE_BUF_SIZE];
1393
               png_alloc_size_t size = (sizeof profile_header);
1394

1395
               png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
1396
               png_ptr->zstream.avail_in = read_length;
1397
               (void)png_inflate_read(png_ptr, local_buffer,
1398
                   (sizeof local_buffer), &length, profile_header, &size,
1399
                   0/*finish: don't, because the output is too small*/);
1400

1401
               if (size == 0)
1402
               {
1403
                  /* We have the ICC profile header; do the basic header checks.
1404
                   */
1405
                  png_uint_32 profile_length = png_get_uint_32(profile_header);
1406

1407
                  if (png_icc_check_length(png_ptr, keyword, profile_length) !=
1408
                      0)
1409
                  {
1410
                     /* The length is apparently ok, so we can check the 132
1411
                      * byte header.
1412
                      */
1413
                     if (png_icc_check_header(png_ptr, keyword, profile_length,
1414
                              profile_header, png_ptr->color_type) != 0)
1415
                     {
1416
                        /* Now read the tag table; a variable size buffer is
1417
                         * needed at this point, allocate one for the whole
1418
                         * profile.  The header check has already validated
1419
                         * that none of this stuff will overflow.
1420
                         */
1421
                        png_uint_32 tag_count =
1422
                           png_get_uint_32(profile_header + 128);
1423
                        png_bytep profile = png_read_buffer(png_ptr,
1424
                              profile_length);
1425

1426
                        if (profile != NULL)
1427
                        {
1428
                           memcpy(profile, profile_header,
1429
                               (sizeof profile_header));
1430

1431
                           size = 12 * tag_count;
1432

1433
                           (void)png_inflate_read(png_ptr, local_buffer,
1434
                               (sizeof local_buffer), &length,
1435
                               profile + (sizeof profile_header), &size, 0);
1436

1437
                           /* Still expect a buffer error because we expect
1438
                            * there to be some tag data!
1439
                            */
1440
                           if (size == 0)
1441
                           {
1442
                              if (png_icc_check_tag_table(png_ptr,
1443
                                       keyword, profile_length, profile) != 0)
1444
                              {
1445
                                 /* The profile has been validated for basic
1446
                                  * security issues, so read the whole thing in.
1447
                                  */
1448
                                 size = profile_length - (sizeof profile_header)
1449
                                     - 12 * tag_count;
1450

1451
                                 (void)png_inflate_read(png_ptr, local_buffer,
1452
                                     (sizeof local_buffer), &length,
1453
                                     profile + (sizeof profile_header) +
1454
                                     12 * tag_count, &size, 1/*finish*/);
1455

1456
                                 if (length > 0 && !(png_ptr->flags &
1457
                                     PNG_FLAG_BENIGN_ERRORS_WARN))
1458
                                    errmsg = "extra compressed data";
1459

1460
                                 /* But otherwise allow extra data: */
1461
                                 else if (size == 0)
1462
                                 {
1463
                                    if (length > 0)
1464
                                    {
1465
                                       /* This can be handled completely, so
1466
                                        * keep going.
1467
                                        */
1468
                                       png_chunk_warning(png_ptr,
1469
                                           "extra compressed data");
1470
                                    }
1471

1472
                                    png_crc_finish(png_ptr, length);
1473
                                    finished = 1;
1474

1475
                                    /* Steal the profile for info_ptr. */
1476
                                    if (info_ptr != NULL)
1477
                                    {
1478
                                       png_free_data(png_ptr, info_ptr,
1479
                                           PNG_FREE_ICCP, 0);
1480

1481
                                       info_ptr->iccp_name = png_voidcast(char*,
1482
                                           png_malloc_base(png_ptr,
1483
                                           keyword_length+1));
1484
                                       if (info_ptr->iccp_name != NULL)
1485
                                       {
1486
                                          memcpy(info_ptr->iccp_name, keyword,
1487
                                              keyword_length+1);
1488
                                          info_ptr->iccp_proflen =
1489
                                              profile_length;
1490
                                          info_ptr->iccp_profile = profile;
1491
                                          png_ptr->read_buffer = NULL; /*steal*/
1492
                                          info_ptr->free_me |= PNG_FREE_ICCP;
1493
                                          info_ptr->valid |= PNG_INFO_iCCP;
1494
                                       }
1495

1496
                                       else
1497
                                          errmsg = "out of memory";
1498
                                    }
1499

1500
                                    /* else the profile remains in the read
1501
                                     * buffer which gets reused for subsequent
1502
                                     * chunks.
1503
                                     */
1504

1505
                                    if (errmsg == NULL)
1506
                                    {
1507
                                       png_ptr->zowner = 0;
1508
                                       return handled_ok;
1509
                                    }
1510
                                 }
1511
                                 if (errmsg == NULL)
1512
                                    errmsg = png_ptr->zstream.msg;
1513
                              }
1514
                              /* else png_icc_check_tag_table output an error */
1515
                           }
1516
                           else /* profile truncated */
1517
                              errmsg = png_ptr->zstream.msg;
1518
                        }
1519

1520
                        else
1521
                           errmsg = "out of memory";
1522
                     }
1523

1524
                     /* else png_icc_check_header output an error */
1525
                  }
1526

1527
                  /* else png_icc_check_length output an error */
1528
               }
1529

1530
               else /* profile truncated */
1531
                  errmsg = png_ptr->zstream.msg;
1532

1533
               /* Release the stream */
1534
               png_ptr->zowner = 0;
1535
            }
1536

1537
            else /* png_inflate_claim failed */
1538
               errmsg = png_ptr->zstream.msg;
1539
         }
1540

1541
         else
1542
            errmsg = "bad compression method"; /* or missing */
1543
      }
1544

1545
      else
1546
         errmsg = "bad keyword";
1547
   }
1548

1549
   /* Failure: the reason is in 'errmsg' */
1550
   if (finished == 0)
1551
      png_crc_finish(png_ptr, length);
1552

1553
   if (errmsg != NULL) /* else already output */
1554
      png_chunk_benign_error(png_ptr, errmsg);
1555

1556
   return handled_error;
1557
}
1558
#else
1559
#  define png_handle_iCCP NULL
1560
#endif /* READ_iCCP */
1561

1562
#ifdef PNG_READ_sPLT_SUPPORTED
1563
static png_handle_result_code /* PRIVATE */
1564
png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1565
/* Note: this does not properly handle chunks that are > 64K under DOS */
1566
{
1567
   png_bytep entry_start, buffer;
1568
   png_sPLT_t new_palette;
1569
   png_sPLT_entryp pp;
1570
   png_uint_32 data_length;
1571
   int entry_size, i;
1572
   png_uint_32 skip = 0;
1573
   png_uint_32 dl;
1574
   size_t max_dl;
1575

1576
   png_debug(1, "in png_handle_sPLT");
1577

1578
#ifdef PNG_USER_LIMITS_SUPPORTED
1579
   if (png_ptr->user_chunk_cache_max != 0)
1580
   {
1581
      if (png_ptr->user_chunk_cache_max == 1)
1582
      {
1583
         png_crc_finish(png_ptr, length);
1584
         return handled_error;
1585
      }
1586

1587
      if (--png_ptr->user_chunk_cache_max == 1)
1588
      {
1589
         png_warning(png_ptr, "No space in chunk cache for sPLT");
1590
         png_crc_finish(png_ptr, length);
1591
         return handled_error;
1592
      }
1593
   }
1594
#endif
1595

1596
   buffer = png_read_buffer(png_ptr, length+1);
1597
   if (buffer == NULL)
1598
   {
1599
      png_crc_finish(png_ptr, length);
1600
      png_chunk_benign_error(png_ptr, "out of memory");
1601
      return handled_error;
1602
   }
1603

1604

1605
   /* WARNING: this may break if size_t is less than 32 bits; it is assumed
1606
    * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1607
    * potential breakage point if the types in pngconf.h aren't exactly right.
1608
    */
1609
   png_crc_read(png_ptr, buffer, length);
1610

1611
   if (png_crc_finish(png_ptr, skip) != 0)
1612
      return handled_error;
1613

1614
   buffer[length] = 0;
1615

1616
   for (entry_start = buffer; *entry_start; entry_start++)
1617
      /* Empty loop to find end of name */ ;
1618

1619
   ++entry_start;
1620

1621
   /* A sample depth should follow the separator, and we should be on it  */
1622
   if (length < 2U || entry_start > buffer + (length - 2U))
1623
   {
1624
      png_warning(png_ptr, "malformed sPLT chunk");
1625
      return handled_error;
1626
   }
1627

1628
   new_palette.depth = *entry_start++;
1629
   entry_size = (new_palette.depth == 8 ? 6 : 10);
1630
   /* This must fit in a png_uint_32 because it is derived from the original
1631
    * chunk data length.
1632
    */
1633
   data_length = length - (png_uint_32)(entry_start - buffer);
1634

1635
   /* Integrity-check the data length */
1636
   if ((data_length % (unsigned int)entry_size) != 0)
1637
   {
1638
      png_warning(png_ptr, "sPLT chunk has bad length");
1639
      return handled_error;
1640
   }
1641

1642
   dl = (png_uint_32)(data_length / (unsigned int)entry_size);
1643
   max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
1644

1645
   if (dl > max_dl)
1646
   {
1647
      png_warning(png_ptr, "sPLT chunk too long");
1648
      return handled_error;
1649
   }
1650

1651
   new_palette.nentries = (png_int_32)(data_length / (unsigned int)entry_size);
1652

1653
   new_palette.entries = (png_sPLT_entryp)png_malloc_warn(png_ptr,
1654
       (png_alloc_size_t) new_palette.nentries * (sizeof (png_sPLT_entry)));
1655

1656
   if (new_palette.entries == NULL)
1657
   {
1658
      png_warning(png_ptr, "sPLT chunk requires too much memory");
1659
      return handled_error;
1660
   }
1661

1662
   for (i = 0; i < new_palette.nentries; i++)
1663
   {
1664
      pp = new_palette.entries + i;
1665

1666
      if (new_palette.depth == 8)
1667
      {
1668
         pp->red = *entry_start++;
1669
         pp->green = *entry_start++;
1670
         pp->blue = *entry_start++;
1671
         pp->alpha = *entry_start++;
1672
      }
1673

1674
      else
1675
      {
1676
         pp->red   = png_get_uint_16(entry_start); entry_start += 2;
1677
         pp->green = png_get_uint_16(entry_start); entry_start += 2;
1678
         pp->blue  = png_get_uint_16(entry_start); entry_start += 2;
1679
         pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
1680
      }
1681

1682
      pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
1683
   }
1684

1685
   /* Discard all chunk data except the name and stash that */
1686
   new_palette.name = (png_charp)buffer;
1687

1688
   png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
1689

1690
   png_free(png_ptr, new_palette.entries);
1691
   return handled_ok;
1692
}
1693
#else
1694
#  define png_handle_sPLT NULL
1695
#endif /* READ_sPLT */
1696

1697
#ifdef PNG_READ_tRNS_SUPPORTED
1698
static png_handle_result_code /* PRIVATE */
1699
png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1700
{
1701
   png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
1702

1703
   png_debug(1, "in png_handle_tRNS");
1704

1705
   if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
1706
   {
1707
      png_byte buf[2];
1708

1709
      if (length != 2)
1710
      {
1711
         png_crc_finish(png_ptr, length);
1712
         png_chunk_benign_error(png_ptr, "invalid");
1713
         return handled_error;
1714
      }
1715

1716
      png_crc_read(png_ptr, buf, 2);
1717
      png_ptr->num_trans = 1;
1718
      png_ptr->trans_color.gray = png_get_uint_16(buf);
1719
   }
1720

1721
   else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
1722
   {
1723
      png_byte buf[6];
1724

1725
      if (length != 6)
1726
      {
1727
         png_crc_finish(png_ptr, length);
1728
         png_chunk_benign_error(png_ptr, "invalid");
1729
         return handled_error;
1730
      }
1731

1732
      png_crc_read(png_ptr, buf, length);
1733
      png_ptr->num_trans = 1;
1734
      png_ptr->trans_color.red = png_get_uint_16(buf);
1735
      png_ptr->trans_color.green = png_get_uint_16(buf + 2);
1736
      png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
1737
   }
1738

1739
   else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1740
   {
1741
      if ((png_ptr->mode & PNG_HAVE_PLTE) == 0)
1742
      {
1743
         png_crc_finish(png_ptr, length);
1744
         png_chunk_benign_error(png_ptr, "out of place");
1745
         return handled_error;
1746
      }
1747

1748
      if (length > (unsigned int) png_ptr->num_palette ||
1749
         length > (unsigned int) PNG_MAX_PALETTE_LENGTH ||
1750
         length == 0)
1751
      {
1752
         png_crc_finish(png_ptr, length);
1753
         png_chunk_benign_error(png_ptr, "invalid");
1754
         return handled_error;
1755
      }
1756

1757
      png_crc_read(png_ptr, readbuf, length);
1758
      png_ptr->num_trans = (png_uint_16)length;
1759
   }
1760

1761
   else
1762
   {
1763
      png_crc_finish(png_ptr, length);
1764
      png_chunk_benign_error(png_ptr, "invalid with alpha channel");
1765
      return handled_error;
1766
   }
1767

1768
   if (png_crc_finish(png_ptr, 0) != 0)
1769
   {
1770
      png_ptr->num_trans = 0;
1771
      return handled_error;
1772
   }
1773

1774
   /* TODO: this is a horrible side effect in the palette case because the
1775
    * png_struct ends up with a pointer to the tRNS buffer owned by the
1776
    * png_info.  Fix this.
1777
    */
1778
   png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1779
       &(png_ptr->trans_color));
1780
   return handled_ok;
1781
}
1782
#else
1783
#  define png_handle_tRNS NULL
1784
#endif
1785

1786
#ifdef PNG_READ_bKGD_SUPPORTED
1787
static png_handle_result_code /* PRIVATE */
1788
png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1789
{
1790
   unsigned int truelen;
1791
   png_byte buf[6];
1792
   png_color_16 background;
1793

1794
   png_debug(1, "in png_handle_bKGD");
1795

1796
   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1797
   {
1798
      if ((png_ptr->mode & PNG_HAVE_PLTE) == 0)
1799
      {
1800
         png_crc_finish(png_ptr, length);
1801
         png_chunk_benign_error(png_ptr, "out of place");
1802
         return handled_error;
1803
      }
1804

1805
      truelen = 1;
1806
   }
1807

1808
   else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
1809
      truelen = 6;
1810

1811
   else
1812
      truelen = 2;
1813

1814
   if (length != truelen)
1815
   {
1816
      png_crc_finish(png_ptr, length);
1817
      png_chunk_benign_error(png_ptr, "invalid");
1818
      return handled_error;
1819
   }
1820

1821
   png_crc_read(png_ptr, buf, truelen);
1822

1823
   if (png_crc_finish(png_ptr, 0) != 0)
1824
      return handled_error;
1825

1826
   /* We convert the index value into RGB components so that we can allow
1827
    * arbitrary RGB values for background when we have transparency, and
1828
    * so it is easy to determine the RGB values of the background color
1829
    * from the info_ptr struct.
1830
    */
1831
   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1832
   {
1833
      background.index = buf[0];
1834

1835
      if (info_ptr != NULL && info_ptr->num_palette != 0)
1836
      {
1837
         if (buf[0] >= info_ptr->num_palette)
1838
         {
1839
            png_chunk_benign_error(png_ptr, "invalid index");
1840
            return handled_error;
1841
         }
1842

1843
         background.red = (png_uint_16)png_ptr->palette[buf[0]].red;
1844
         background.green = (png_uint_16)png_ptr->palette[buf[0]].green;
1845
         background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue;
1846
      }
1847

1848
      else
1849
         background.red = background.green = background.blue = 0;
1850

1851
      background.gray = 0;
1852
   }
1853

1854
   else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0) /* GRAY */
1855
   {
1856
      if (png_ptr->bit_depth <= 8)
1857
      {
1858
         if (buf[0] != 0 || buf[1] >= (unsigned int)(1 << png_ptr->bit_depth))
1859
         {
1860
            png_chunk_benign_error(png_ptr, "invalid gray level");
1861
            return handled_error;
1862
         }
1863
      }
1864

1865
      background.index = 0;
1866
      background.red =
1867
      background.green =
1868
      background.blue =
1869
      background.gray = png_get_uint_16(buf);
1870
   }
1871

1872
   else
1873
   {
1874
      if (png_ptr->bit_depth <= 8)
1875
      {
1876
         if (buf[0] != 0 || buf[2] != 0 || buf[4] != 0)
1877
         {
1878
            png_chunk_benign_error(png_ptr, "invalid color");
1879
            return handled_error;
1880
         }
1881
      }
1882

1883
      background.index = 0;
1884
      background.red = png_get_uint_16(buf);
1885
      background.green = png_get_uint_16(buf + 2);
1886
      background.blue = png_get_uint_16(buf + 4);
1887
      background.gray = 0;
1888
   }
1889

1890
   png_set_bKGD(png_ptr, info_ptr, &background);
1891
   return handled_ok;
1892
}
1893
#else
1894
#  define png_handle_bKGD NULL
1895
#endif
1896

1897
#ifdef PNG_READ_cICP_SUPPORTED
1898
static png_handle_result_code /* PRIVATE */
1899
png_handle_cICP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1900
{
1901
   png_byte buf[4];
1902

1903
   png_debug(1, "in png_handle_cICP");
1904

1905
   png_crc_read(png_ptr, buf, 4);
1906

1907
   if (png_crc_finish(png_ptr, 0) != 0)
1908
      return handled_error;
1909

1910
   png_set_cICP(png_ptr, info_ptr, buf[0], buf[1],  buf[2], buf[3]);
1911

1912
   /* We only use 'chromaticities' for RGB to gray */
1913
#  ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
1914
      if (!png_has_chunk(png_ptr, mDCV))
1915
      {
1916
         /* TODO: png_ptr->chromaticities = chromaticities; */
1917
      }
1918
#  endif /* READ_RGB_TO_GRAY */
1919

1920
#ifdef PNG_READ_GAMMA_SUPPORTED
1921
      /* PNGv3: chunk precedence for gamma is cICP, [iCCP], sRGB, gAMA.  cICP is
1922
       * at the head so simply set the gamma if it can be determined.  If not
1923
       * chunk_gamma remains unchanged; sRGB and gAMA handling check it for
1924
       * being zero.
1925
       */
1926
      /* TODO: set png_struct::chunk_gamma when possible */
1927
#endif /*READ_GAMMA*/
1928

1929
   return handled_ok;
1930
   PNG_UNUSED(length)
1931
}
1932
#else
1933
#  define png_handle_cICP NULL
1934
#endif
1935

1936
#ifdef PNG_READ_cLLI_SUPPORTED
1937
static png_handle_result_code /* PRIVATE */
1938
png_handle_cLLI(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1939
{
1940
   png_byte buf[8];
1941

1942
   png_debug(1, "in png_handle_cLLI");
1943

1944
   png_crc_read(png_ptr, buf, 8);
1945

1946
   if (png_crc_finish(png_ptr, 0) != 0)
1947
      return handled_error;
1948

1949
   /* The error checking happens here, this puts it in just one place: */
1950
   png_set_cLLI_fixed(png_ptr, info_ptr, png_get_uint_32(buf),
1951
         png_get_uint_32(buf+4));
1952
   return handled_ok;
1953
   PNG_UNUSED(length)
1954
}
1955
#else
1956
#  define png_handle_cLLI NULL
1957
#endif
1958

1959
#ifdef PNG_READ_mDCV_SUPPORTED
1960
static png_handle_result_code /* PRIVATE */
1961
png_handle_mDCV(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1962
{
1963
   png_xy chromaticities;
1964
   png_byte buf[24];
1965

1966
   png_debug(1, "in png_handle_mDCV");
1967

1968
   png_crc_read(png_ptr, buf, 24);
1969

1970
   if (png_crc_finish(png_ptr, 0) != 0)
1971
      return handled_error;
1972

1973
   /* The error checking happens here, this puts it in just one place.  The
1974
    * odd /50000 scaling factor makes it more difficult but the (x.y) values are
1975
    * only two bytes so a <<1 is safe.
1976
    *
1977
    * WARNING: the PNG specification defines the cHRM chunk to **start** with
1978
    * the white point (x,y).  The W3C PNG v3 specification puts the white point
1979
    * **after* R,G,B.  The x,y values in mDCV are also scaled by 50,000 and
1980
    * stored in just two bytes, whereas those in cHRM are scaled by 100,000 and
1981
    * stored in four bytes.  This is very, very confusing.  These APIs remove
1982
    * the confusion by copying the existing, well established, API.
1983
    */
1984
   chromaticities.redx   = png_get_uint_16(buf+ 0U) << 1; /* red x */
1985
   chromaticities.redy   = png_get_uint_16(buf+ 2U) << 1; /* red y */
1986
   chromaticities.greenx = png_get_uint_16(buf+ 4U) << 1; /* green x */
1987
   chromaticities.greeny = png_get_uint_16(buf+ 6U) << 1; /* green y */
1988
   chromaticities.bluex  = png_get_uint_16(buf+ 8U) << 1; /* blue x */
1989
   chromaticities.bluey  = png_get_uint_16(buf+10U) << 1; /* blue y */
1990
   chromaticities.whitex = png_get_uint_16(buf+12U) << 1; /* white x */
1991
   chromaticities.whitey = png_get_uint_16(buf+14U) << 1; /* white y */
1992

1993
   png_set_mDCV_fixed(png_ptr, info_ptr,
1994
         chromaticities.whitex, chromaticities.whitey,
1995
         chromaticities.redx, chromaticities.redy,
1996
         chromaticities.greenx, chromaticities.greeny,
1997
         chromaticities.bluex, chromaticities.bluey,
1998
         png_get_uint_32(buf+16U), /* peak luminance */
1999
         png_get_uint_32(buf+20U));/* minimum perceivable luminance */
2000

2001
   /* We only use 'chromaticities' for RGB to gray */
2002
#  ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2003
      png_ptr->chromaticities = chromaticities;
2004
#  endif /* READ_RGB_TO_GRAY */
2005

2006
   return handled_ok;
2007
   PNG_UNUSED(length)
2008
}
2009
#else
2010
#  define png_handle_mDCV NULL
2011
#endif
2012

2013
#ifdef PNG_READ_eXIf_SUPPORTED
2014
static png_handle_result_code /* PRIVATE */
2015
png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2016
{
2017
   png_bytep buffer = NULL;
2018

2019
   png_debug(1, "in png_handle_eXIf");
2020

2021
   buffer = png_read_buffer(png_ptr, length);
2022

2023
   if (buffer == NULL)
2024
   {
2025
      png_crc_finish(png_ptr, length);
2026
      png_chunk_benign_error(png_ptr, "out of memory");
2027
      return handled_error;
2028
   }
2029

2030
   png_crc_read(png_ptr, buffer, length);
2031

2032
   if (png_crc_finish(png_ptr, 0) != 0)
2033
      return handled_error;
2034

2035
   /* PNGv3: the code used to check the byte order mark at the start for MM or
2036
    * II, however PNGv3 states that the the first 4 bytes should be checked.
2037
    * The caller ensures that there are four bytes available.
2038
    */
2039
   {
2040
      png_uint_32 header = png_get_uint_32(buffer);
2041

2042
      /* These numbers are copied from the PNGv3 spec: */
2043
      if (header != 0x49492A00 && header != 0x4D4D002A)
2044
      {
2045
         png_chunk_benign_error(png_ptr, "invalid");
2046
         return handled_error;
2047
      }
2048
   }
2049

2050
   png_set_eXIf_1(png_ptr, info_ptr, length, buffer);
2051
   return handled_ok;
2052
}
2053
#else
2054
#  define png_handle_eXIf NULL
2055
#endif
2056

2057
#ifdef PNG_READ_hIST_SUPPORTED
2058
static png_handle_result_code /* PRIVATE */
2059
png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2060
{
2061
   unsigned int num, i;
2062
   png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
2063

2064
   png_debug(1, "in png_handle_hIST");
2065

2066
   /* This cast is safe because the chunk definition limits the length to a
2067
    * maximum of 1024 bytes.
2068
    *
2069
    * TODO: maybe use png_uint_32 anyway, not unsigned int, to reduce the
2070
    * casts.
2071
    */
2072
   num = (unsigned int)length / 2 ;
2073

2074
   if (length != num * 2 ||
2075
       num != (unsigned int)png_ptr->num_palette ||
2076
       num > (unsigned int)PNG_MAX_PALETTE_LENGTH)
2077
   {
2078
      png_crc_finish(png_ptr, length);
2079
      png_chunk_benign_error(png_ptr, "invalid");
2080
      return handled_error;
2081
   }
2082

2083
   for (i = 0; i < num; i++)
2084
   {
2085
      png_byte buf[2];
2086

2087
      png_crc_read(png_ptr, buf, 2);
2088
      readbuf[i] = png_get_uint_16(buf);
2089
   }
2090

2091
   if (png_crc_finish(png_ptr, 0) != 0)
2092
      return handled_error;
2093

2094
   png_set_hIST(png_ptr, info_ptr, readbuf);
2095
   return handled_ok;
2096
}
2097
#else
2098
#  define png_handle_hIST NULL
2099
#endif
2100

2101
#ifdef PNG_READ_pHYs_SUPPORTED
2102
static png_handle_result_code /* PRIVATE */
2103
png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2104
{
2105
   png_byte buf[9];
2106
   png_uint_32 res_x, res_y;
2107
   int unit_type;
2108

2109
   png_debug(1, "in png_handle_pHYs");
2110

2111
   png_crc_read(png_ptr, buf, 9);
2112

2113
   if (png_crc_finish(png_ptr, 0) != 0)
2114
      return handled_error;
2115

2116
   res_x = png_get_uint_32(buf);
2117
   res_y = png_get_uint_32(buf + 4);
2118
   unit_type = buf[8];
2119
   png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
2120
   return handled_ok;
2121
   PNG_UNUSED(length)
2122
}
2123
#else
2124
#  define png_handle_pHYs NULL
2125
#endif
2126

2127
#ifdef PNG_READ_oFFs_SUPPORTED
2128
static png_handle_result_code /* PRIVATE */
2129
png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2130
{
2131
   png_byte buf[9];
2132
   png_int_32 offset_x, offset_y;
2133
   int unit_type;
2134

2135
   png_debug(1, "in png_handle_oFFs");
2136

2137
   png_crc_read(png_ptr, buf, 9);
2138

2139
   if (png_crc_finish(png_ptr, 0) != 0)
2140
      return handled_error;
2141

2142
   offset_x = png_get_int_32(buf);
2143
   offset_y = png_get_int_32(buf + 4);
2144
   unit_type = buf[8];
2145
   png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
2146
   return handled_ok;
2147
   PNG_UNUSED(length)
2148
}
2149
#else
2150
#  define png_handle_oFFs NULL
2151
#endif
2152

2153
#ifdef PNG_READ_pCAL_SUPPORTED
2154
/* Read the pCAL chunk (described in the PNG Extensions document) */
2155
static png_handle_result_code /* PRIVATE */
2156
png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2157
{
2158
   png_int_32 X0, X1;
2159
   png_byte type, nparams;
2160
   png_bytep buffer, buf, units, endptr;
2161
   png_charpp params;
2162
   int i;
2163

2164
   png_debug(1, "in png_handle_pCAL");
2165
   png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)",
2166
       length + 1);
2167

2168
   buffer = png_read_buffer(png_ptr, length+1);
2169

2170
   if (buffer == NULL)
2171
   {
2172
      png_crc_finish(png_ptr, length);
2173
      png_chunk_benign_error(png_ptr, "out of memory");
2174
      return handled_error;
2175
   }
2176

2177
   png_crc_read(png_ptr, buffer, length);
2178

2179
   if (png_crc_finish(png_ptr, 0) != 0)
2180
      return handled_error;
2181

2182
   buffer[length] = 0; /* Null terminate the last string */
2183

2184
   png_debug(3, "Finding end of pCAL purpose string");
2185
   for (buf = buffer; *buf; buf++)
2186
      /* Empty loop */ ;
2187

2188
   endptr = buffer + length;
2189

2190
   /* We need to have at least 12 bytes after the purpose string
2191
    * in order to get the parameter information.
2192
    */
2193
   if (endptr - buf <= 12)
2194
   {
2195
      png_chunk_benign_error(png_ptr, "invalid");
2196
      return handled_error;
2197
   }
2198

2199
   png_debug(3, "Reading pCAL X0, X1, type, nparams, and units");
2200
   X0 = png_get_int_32((png_bytep)buf+1);
2201
   X1 = png_get_int_32((png_bytep)buf+5);
2202
   type = buf[9];
2203
   nparams = buf[10];
2204
   units = buf + 11;
2205

2206
   png_debug(3, "Checking pCAL equation type and number of parameters");
2207
   /* Check that we have the right number of parameters for known
2208
    * equation types.
2209
    */
2210
   if ((type == PNG_EQUATION_LINEAR && nparams != 2) ||
2211
       (type == PNG_EQUATION_BASE_E && nparams != 3) ||
2212
       (type == PNG_EQUATION_ARBITRARY && nparams != 3) ||
2213
       (type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
2214
   {
2215
      png_chunk_benign_error(png_ptr, "invalid parameter count");
2216
      return handled_error;
2217
   }
2218

2219
   else if (type >= PNG_EQUATION_LAST)
2220
   {
2221
      png_chunk_benign_error(png_ptr, "unrecognized equation type");
2222
   }
2223

2224
   for (buf = units; *buf; buf++)
2225
      /* Empty loop to move past the units string. */ ;
2226

2227
   png_debug(3, "Allocating pCAL parameters array");
2228

2229
   params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
2230
       nparams * (sizeof (png_charp))));
2231

2232
   if (params == NULL)
2233
   {
2234
      png_chunk_benign_error(png_ptr, "out of memory");
2235
      return handled_error;
2236
   }
2237

2238
   /* Get pointers to the start of each parameter string. */
2239
   for (i = 0; i < nparams; i++)
2240
   {
2241
      buf++; /* Skip the null string terminator from previous parameter. */
2242

2243
      png_debug1(3, "Reading pCAL parameter %d", i);
2244

2245
      for (params[i] = (png_charp)buf; buf <= endptr && *buf != 0; buf++)
2246
         /* Empty loop to move past each parameter string */ ;
2247

2248
      /* Make sure we haven't run out of data yet */
2249
      if (buf > endptr)
2250
      {
2251
         png_free(png_ptr, params);
2252
         png_chunk_benign_error(png_ptr, "invalid data");
2253
         return handled_error;
2254
      }
2255
   }
2256

2257
   png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams,
2258
       (png_charp)units, params);
2259

2260
   /* TODO: BUG: png_set_pCAL calls png_chunk_report which, in this case, calls
2261
    * png_benign_error and that can error out.
2262
    *
2263
    * png_read_buffer needs to be allocated with space for both nparams and the
2264
    * parameter strings.  Not hard to do.
2265
    */
2266
   png_free(png_ptr, params);
2267
   return handled_ok;
2268
}
2269
#else
2270
#  define png_handle_pCAL NULL
2271
#endif
2272

2273
#ifdef PNG_READ_sCAL_SUPPORTED
2274
/* Read the sCAL chunk */
2275
static png_handle_result_code /* PRIVATE */
2276
png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2277
{
2278
   png_bytep buffer;
2279
   size_t i;
2280
   int state;
2281

2282
   png_debug(1, "in png_handle_sCAL");
2283
   png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
2284
       length + 1);
2285

2286
   buffer = png_read_buffer(png_ptr, length+1);
2287

2288
   if (buffer == NULL)
2289
   {
2290
      png_crc_finish(png_ptr, length);
2291
      png_chunk_benign_error(png_ptr, "out of memory");
2292
      return handled_error;
2293
   }
2294

2295
   png_crc_read(png_ptr, buffer, length);
2296
   buffer[length] = 0; /* Null terminate the last string */
2297

2298
   if (png_crc_finish(png_ptr, 0) != 0)
2299
      return handled_error;
2300

2301
   /* Validate the unit. */
2302
   if (buffer[0] != 1 && buffer[0] != 2)
2303
   {
2304
      png_chunk_benign_error(png_ptr, "invalid unit");
2305
      return handled_error;
2306
   }
2307

2308
   /* Validate the ASCII numbers, need two ASCII numbers separated by
2309
    * a '\0' and they need to fit exactly in the chunk data.
2310
    */
2311
   i = 1;
2312
   state = 0;
2313

2314
   if (png_check_fp_number((png_const_charp)buffer, length, &state, &i) == 0 ||
2315
       i >= length || buffer[i++] != 0)
2316
      png_chunk_benign_error(png_ptr, "bad width format");
2317

2318
   else if (PNG_FP_IS_POSITIVE(state) == 0)
2319
      png_chunk_benign_error(png_ptr, "non-positive width");
2320

2321
   else
2322
   {
2323
      size_t heighti = i;
2324

2325
      state = 0;
2326
      if (png_check_fp_number((png_const_charp)buffer, length,
2327
          &state, &i) == 0 || i != length)
2328
         png_chunk_benign_error(png_ptr, "bad height format");
2329

2330
      else if (PNG_FP_IS_POSITIVE(state) == 0)
2331
         png_chunk_benign_error(png_ptr, "non-positive height");
2332

2333
      else
2334
      {
2335
         /* This is the (only) success case. */
2336
         png_set_sCAL_s(png_ptr, info_ptr, buffer[0],
2337
             (png_charp)buffer+1, (png_charp)buffer+heighti);
2338
         return handled_ok;
2339
      }
2340
   }
2341

2342
   return handled_error;
2343
}
2344
#else
2345
#  define png_handle_sCAL NULL
2346
#endif
2347

2348
#ifdef PNG_READ_tIME_SUPPORTED
2349
static png_handle_result_code /* PRIVATE */
2350
png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2351
{
2352
   png_byte buf[7];
2353
   png_time mod_time;
2354

2355
   png_debug(1, "in png_handle_tIME");
2356

2357
   /* TODO: what is this doing here?  It should be happened in pngread.c and
2358
    * pngpread.c, although it could be moved to png_handle_chunk below and
2359
    * thereby avoid some code duplication.
2360
    */
2361
   if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2362
      png_ptr->mode |= PNG_AFTER_IDAT;
2363

2364
   png_crc_read(png_ptr, buf, 7);
2365

2366
   if (png_crc_finish(png_ptr, 0) != 0)
2367
      return handled_error;
2368

2369
   mod_time.second = buf[6];
2370
   mod_time.minute = buf[5];
2371
   mod_time.hour = buf[4];
2372
   mod_time.day = buf[3];
2373
   mod_time.month = buf[2];
2374
   mod_time.year = png_get_uint_16(buf);
2375

2376
   png_set_tIME(png_ptr, info_ptr, &mod_time);
2377
   return handled_ok;
2378
   PNG_UNUSED(length)
2379
}
2380
#else
2381
#  define png_handle_tIME NULL
2382
#endif
2383

2384
#ifdef PNG_READ_tEXt_SUPPORTED
2385
/* Note: this does not properly handle chunks that are > 64K under DOS */
2386
static png_handle_result_code /* PRIVATE */
2387
png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2388
{
2389
   png_text  text_info;
2390
   png_bytep buffer;
2391
   png_charp key;
2392
   png_charp text;
2393
   png_uint_32 skip = 0;
2394

2395
   png_debug(1, "in png_handle_tEXt");
2396

2397
#ifdef PNG_USER_LIMITS_SUPPORTED
2398
   if (png_ptr->user_chunk_cache_max != 0)
2399
   {
2400
      if (png_ptr->user_chunk_cache_max == 1)
2401
      {
2402
         png_crc_finish(png_ptr, length);
2403
         return handled_error;
2404
      }
2405

2406
      if (--png_ptr->user_chunk_cache_max == 1)
2407
      {
2408
         png_crc_finish(png_ptr, length);
2409
         png_chunk_benign_error(png_ptr, "no space in chunk cache");
2410
         return handled_error;
2411
      }
2412
   }
2413
#endif
2414

2415
   /* TODO: this doesn't work and shouldn't be necessary. */
2416
   if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2417
      png_ptr->mode |= PNG_AFTER_IDAT;
2418

2419
   buffer = png_read_buffer(png_ptr, length+1);
2420

2421
   if (buffer == NULL)
2422
   {
2423
      png_crc_finish(png_ptr, length);
2424
      png_chunk_benign_error(png_ptr, "out of memory");
2425
      return handled_error;
2426
   }
2427

2428
   png_crc_read(png_ptr, buffer, length);
2429

2430
   if (png_crc_finish(png_ptr, skip) != 0)
2431
      return handled_error;
2432

2433
   key = (png_charp)buffer;
2434
   key[length] = 0;
2435

2436
   for (text = key; *text; text++)
2437
      /* Empty loop to find end of key */ ;
2438

2439
   if (text != key + length)
2440
      text++;
2441

2442
   text_info.compression = PNG_TEXT_COMPRESSION_NONE;
2443
   text_info.key = key;
2444
   text_info.lang = NULL;
2445
   text_info.lang_key = NULL;
2446
   text_info.itxt_length = 0;
2447
   text_info.text = text;
2448
   text_info.text_length = strlen(text);
2449

2450
   if (png_set_text_2(png_ptr, info_ptr, &text_info, 1) == 0)
2451
      return handled_ok;
2452

2453
   png_chunk_benign_error(png_ptr, "out of memory");
2454
   return handled_error;
2455
}
2456
#else
2457
#  define png_handle_tEXt NULL
2458
#endif
2459

2460
#ifdef PNG_READ_zTXt_SUPPORTED
2461
/* Note: this does not correctly handle chunks that are > 64K under DOS */
2462
static png_handle_result_code /* PRIVATE */
2463
png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2464
{
2465
   png_const_charp errmsg = NULL;
2466
   png_bytep       buffer;
2467
   png_uint_32     keyword_length;
2468

2469
   png_debug(1, "in png_handle_zTXt");
2470

2471
#ifdef PNG_USER_LIMITS_SUPPORTED
2472
   if (png_ptr->user_chunk_cache_max != 0)
2473
   {
2474
      if (png_ptr->user_chunk_cache_max == 1)
2475
      {
2476
         png_crc_finish(png_ptr, length);
2477
         return handled_error;
2478
      }
2479

2480
      if (--png_ptr->user_chunk_cache_max == 1)
2481
      {
2482
         png_crc_finish(png_ptr, length);
2483
         png_chunk_benign_error(png_ptr, "no space in chunk cache");
2484
         return handled_error;
2485
      }
2486
   }
2487
#endif
2488

2489
   /* TODO: should not be necessary. */
2490
   if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2491
      png_ptr->mode |= PNG_AFTER_IDAT;
2492

2493
   /* Note, "length" is sufficient here; we won't be adding
2494
    * a null terminator later.  The limit check in png_handle_chunk should be
2495
    * sufficient.
2496
    */
2497
   buffer = png_read_buffer(png_ptr, length);
2498

2499
   if (buffer == NULL)
2500
   {
2501
      png_crc_finish(png_ptr, length);
2502
      png_chunk_benign_error(png_ptr, "out of memory");
2503
      return handled_error;
2504
   }
2505

2506
   png_crc_read(png_ptr, buffer, length);
2507

2508
   if (png_crc_finish(png_ptr, 0) != 0)
2509
      return handled_error;
2510

2511
   /* TODO: also check that the keyword contents match the spec! */
2512
   for (keyword_length = 0;
2513
      keyword_length < length && buffer[keyword_length] != 0;
2514
      ++keyword_length)
2515
      /* Empty loop to find end of name */ ;
2516

2517
   if (keyword_length > 79 || keyword_length < 1)
2518
      errmsg = "bad keyword";
2519

2520
   /* zTXt must have some LZ data after the keyword, although it may expand to
2521
    * zero bytes; we need a '\0' at the end of the keyword, the compression type
2522
    * then the LZ data:
2523
    */
2524
   else if (keyword_length + 3 > length)
2525
      errmsg = "truncated";
2526

2527
   else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
2528
      errmsg = "unknown compression type";
2529

2530
   else
2531
   {
2532
      png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
2533

2534
      /* TODO: at present png_decompress_chunk imposes a single application
2535
       * level memory limit, this should be split to different values for iCCP
2536
       * and text chunks.
2537
       */
2538
      if (png_decompress_chunk(png_ptr, length, keyword_length+2,
2539
          &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2540
      {
2541
         png_text text;
2542

2543
         if (png_ptr->read_buffer == NULL)
2544
           errmsg="Read failure in png_handle_zTXt";
2545
         else
2546
         {
2547
            /* It worked; png_ptr->read_buffer now looks like a tEXt chunk
2548
             * except for the extra compression type byte and the fact that
2549
             * it isn't necessarily '\0' terminated.
2550
             */
2551
            buffer = png_ptr->read_buffer;
2552
            buffer[uncompressed_length+(keyword_length+2)] = 0;
2553

2554
            text.compression = PNG_TEXT_COMPRESSION_zTXt;
2555
            text.key = (png_charp)buffer;
2556
            text.text = (png_charp)(buffer + keyword_length+2);
2557
            text.text_length = uncompressed_length;
2558
            text.itxt_length = 0;
2559
            text.lang = NULL;
2560
            text.lang_key = NULL;
2561

2562
            if (png_set_text_2(png_ptr, info_ptr, &text, 1) == 0)
2563
               return handled_ok;
2564

2565
            errmsg = "out of memory";
2566
         }
2567
      }
2568

2569
      else
2570
         errmsg = png_ptr->zstream.msg;
2571
   }
2572

2573
   png_chunk_benign_error(png_ptr, errmsg);
2574
   return handled_error;
2575
}
2576
#else
2577
#  define png_handle_zTXt NULL
2578
#endif
2579

2580
#ifdef PNG_READ_iTXt_SUPPORTED
2581
/* Note: this does not correctly handle chunks that are > 64K under DOS */
2582
static png_handle_result_code /* PRIVATE */
2583
png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2584
{
2585
   png_const_charp errmsg = NULL;
2586
   png_bytep buffer;
2587
   png_uint_32 prefix_length;
2588

2589
   png_debug(1, "in png_handle_iTXt");
2590

2591
#ifdef PNG_USER_LIMITS_SUPPORTED
2592
   if (png_ptr->user_chunk_cache_max != 0)
2593
   {
2594
      if (png_ptr->user_chunk_cache_max == 1)
2595
      {
2596
         png_crc_finish(png_ptr, length);
2597
         return handled_error;
2598
      }
2599

2600
      if (--png_ptr->user_chunk_cache_max == 1)
2601
      {
2602
         png_crc_finish(png_ptr, length);
2603
         png_chunk_benign_error(png_ptr, "no space in chunk cache");
2604
         return handled_error;
2605
      }
2606
   }
2607
#endif
2608

2609
   /* TODO: should not be necessary. */
2610
   if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
2611
      png_ptr->mode |= PNG_AFTER_IDAT;
2612

2613
   buffer = png_read_buffer(png_ptr, length+1);
2614

2615
   if (buffer == NULL)
2616
   {
2617
      png_crc_finish(png_ptr, length);
2618
      png_chunk_benign_error(png_ptr, "out of memory");
2619
      return handled_error;
2620
   }
2621

2622
   png_crc_read(png_ptr, buffer, length);
2623

2624
   if (png_crc_finish(png_ptr, 0) != 0)
2625
      return handled_error;
2626

2627
   /* First the keyword. */
2628
   for (prefix_length=0;
2629
      prefix_length < length && buffer[prefix_length] != 0;
2630
      ++prefix_length)
2631
      /* Empty loop */ ;
2632

2633
   /* Perform a basic check on the keyword length here. */
2634
   if (prefix_length > 79 || prefix_length < 1)
2635
      errmsg = "bad keyword";
2636

2637
   /* Expect keyword, compression flag, compression type, language, translated
2638
    * keyword (both may be empty but are 0 terminated) then the text, which may
2639
    * be empty.
2640
    */
2641
   else if (prefix_length + 5 > length)
2642
      errmsg = "truncated";
2643

2644
   else if (buffer[prefix_length+1] == 0 ||
2645
      (buffer[prefix_length+1] == 1 &&
2646
      buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE))
2647
   {
2648
      int compressed = buffer[prefix_length+1] != 0;
2649
      png_uint_32 language_offset, translated_keyword_offset;
2650
      png_alloc_size_t uncompressed_length = 0;
2651

2652
      /* Now the language tag */
2653
      prefix_length += 3;
2654
      language_offset = prefix_length;
2655

2656
      for (; prefix_length < length && buffer[prefix_length] != 0;
2657
         ++prefix_length)
2658
         /* Empty loop */ ;
2659

2660
      /* WARNING: the length may be invalid here, this is checked below. */
2661
      translated_keyword_offset = ++prefix_length;
2662

2663
      for (; prefix_length < length && buffer[prefix_length] != 0;
2664
         ++prefix_length)
2665
         /* Empty loop */ ;
2666

2667
      /* prefix_length should now be at the trailing '\0' of the translated
2668
       * keyword, but it may already be over the end.  None of this arithmetic
2669
       * can overflow because chunks are at most 2^31 bytes long, but on 16-bit
2670
       * systems the available allocation may overflow.
2671
       */
2672
      ++prefix_length;
2673

2674
      if (compressed == 0 && prefix_length <= length)
2675
         uncompressed_length = length - prefix_length;
2676

2677
      else if (compressed != 0 && prefix_length < length)
2678
      {
2679
         uncompressed_length = PNG_SIZE_MAX;
2680

2681
         /* TODO: at present png_decompress_chunk imposes a single application
2682
          * level memory limit, this should be split to different values for
2683
          * iCCP and text chunks.
2684
          */
2685
         if (png_decompress_chunk(png_ptr, length, prefix_length,
2686
             &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
2687
            buffer = png_ptr->read_buffer;
2688

2689
         else
2690
            errmsg = png_ptr->zstream.msg;
2691
      }
2692

2693
      else
2694
         errmsg = "truncated";
2695

2696
      if (errmsg == NULL)
2697
      {
2698
         png_text text;
2699

2700
         buffer[uncompressed_length+prefix_length] = 0;
2701

2702
         if (compressed == 0)
2703
            text.compression = PNG_ITXT_COMPRESSION_NONE;
2704

2705
         else
2706
            text.compression = PNG_ITXT_COMPRESSION_zTXt;
2707

2708
         text.key = (png_charp)buffer;
2709
         text.lang = (png_charp)buffer + language_offset;
2710
         text.lang_key = (png_charp)buffer + translated_keyword_offset;
2711
         text.text = (png_charp)buffer + prefix_length;
2712
         text.text_length = 0;
2713
         text.itxt_length = uncompressed_length;
2714

2715
         if (png_set_text_2(png_ptr, info_ptr, &text, 1) == 0)
2716
            return handled_ok;
2717

2718
         errmsg = "out of memory";
2719
      }
2720
   }
2721

2722
   else
2723
      errmsg = "bad compression info";
2724

2725
   if (errmsg != NULL)
2726
      png_chunk_benign_error(png_ptr, errmsg);
2727
   return handled_error;
2728
}
2729
#else
2730
#  define png_handle_iTXt NULL
2731
#endif
2732

2733
#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2734
/* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
2735
static int
2736
png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
2737
{
2738
   const png_alloc_size_t limit = png_chunk_max(png_ptr);
2739

2740
   if (png_ptr->unknown_chunk.data != NULL)
2741
   {
2742
      png_free(png_ptr, png_ptr->unknown_chunk.data);
2743
      png_ptr->unknown_chunk.data = NULL;
2744
   }
2745

2746
   if (length <= limit)
2747
   {
2748
      PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
2749
      /* The following is safe because of the PNG_SIZE_MAX init above */
2750
      png_ptr->unknown_chunk.size = (size_t)length/*SAFE*/;
2751
      /* 'mode' is a flag array, only the bottom four bits matter here */
2752
      png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/*SAFE*/;
2753

2754
      if (length == 0)
2755
         png_ptr->unknown_chunk.data = NULL;
2756

2757
      else
2758
      {
2759
         /* Do a 'warn' here - it is handled below. */
2760
         png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
2761
             png_malloc_warn(png_ptr, length));
2762
      }
2763
   }
2764

2765
   if (png_ptr->unknown_chunk.data == NULL && length > 0)
2766
   {
2767
      /* This is benign because we clean up correctly */
2768
      png_crc_finish(png_ptr, length);
2769
      png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
2770
      return 0;
2771
   }
2772

2773
   else
2774
   {
2775
      if (length > 0)
2776
         png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
2777
      png_crc_finish(png_ptr, 0);
2778
      return 1;
2779
   }
2780
}
2781
#endif /* READ_UNKNOWN_CHUNKS */
2782

2783
/* Handle an unknown, or known but disabled, chunk */
2784
png_handle_result_code /*PRIVATE*/
2785
png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
2786
    png_uint_32 length, int keep)
2787
{
2788
   png_handle_result_code handled = handled_discarded; /* the default */
2789

2790
   png_debug(1, "in png_handle_unknown");
2791

2792
#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2793
   /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
2794
    * the bug which meant that setting a non-default behavior for a specific
2795
    * chunk would be ignored (the default was always used unless a user
2796
    * callback was installed).
2797
    *
2798
    * 'keep' is the value from the png_chunk_unknown_handling, the setting for
2799
    * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
2800
    * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
2801
    * This is just an optimization to avoid multiple calls to the lookup
2802
    * function.
2803
    */
2804
#  ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2805
#     ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2806
   keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
2807
#     endif
2808
#  endif
2809

2810
   /* One of the following methods will read the chunk or skip it (at least one
2811
    * of these is always defined because this is the only way to switch on
2812
    * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
2813
    */
2814
#  ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2815
   /* The user callback takes precedence over the chunk keep value, but the
2816
    * keep value is still required to validate a save of a critical chunk.
2817
    */
2818
   if (png_ptr->read_user_chunk_fn != NULL)
2819
   {
2820
      if (png_cache_unknown_chunk(png_ptr, length) != 0)
2821
      {
2822
         /* Callback to user unknown chunk handler */
2823
         int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
2824
             &png_ptr->unknown_chunk);
2825

2826
         /* ret is:
2827
          * negative: An error occurred; png_chunk_error will be called.
2828
          *     zero: The chunk was not handled, the chunk will be discarded
2829
          *           unless png_set_keep_unknown_chunks has been used to set
2830
          *           a 'keep' behavior for this particular chunk, in which
2831
          *           case that will be used.  A critical chunk will cause an
2832
          *           error at this point unless it is to be saved.
2833
          * positive: The chunk was handled, libpng will ignore/discard it.
2834
          */
2835
         if (ret < 0) /* handled_error */
2836
            png_chunk_error(png_ptr, "error in user chunk");
2837

2838
         else if (ret == 0)
2839
         {
2840
            /* If the keep value is 'default' or 'never' override it, but
2841
             * still error out on critical chunks unless the keep value is
2842
             * 'always'  While this is weird it is the behavior in 1.4.12.
2843
             * A possible improvement would be to obey the value set for the
2844
             * chunk, but this would be an API change that would probably
2845
             * damage some applications.
2846
             *
2847
             * The png_app_warning below catches the case that matters, where
2848
             * the application has not set specific save or ignore for this
2849
             * chunk or global save or ignore.
2850
             */
2851
            if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
2852
            {
2853
#              ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2854
               if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
2855
               {
2856
                  png_chunk_warning(png_ptr, "Saving unknown chunk:");
2857
                  png_app_warning(png_ptr,
2858
                      "forcing save of an unhandled chunk;"
2859
                      " please call png_set_keep_unknown_chunks");
2860
                      /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
2861
               }
2862
#              endif
2863
               keep = PNG_HANDLE_CHUNK_IF_SAFE;
2864
            }
2865
         }
2866

2867
         else /* chunk was handled */
2868
         {
2869
            handled = handled_ok;
2870
            /* Critical chunks can be safely discarded at this point. */
2871
            keep = PNG_HANDLE_CHUNK_NEVER;
2872
         }
2873
      }
2874

2875
      else
2876
         keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */
2877
   }
2878

2879
   else
2880
   /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
2881
#  endif /* READ_USER_CHUNKS */
2882

2883
#  ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
2884
   {
2885
      /* keep is currently just the per-chunk setting, if there was no
2886
       * setting change it to the global default now (not that this may
2887
       * still be AS_DEFAULT) then obtain the cache of the chunk if required,
2888
       * if not simply skip the chunk.
2889
       */
2890
      if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
2891
         keep = png_ptr->unknown_default;
2892

2893
      if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2894
         (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2895
          PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2896
      {
2897
         if (png_cache_unknown_chunk(png_ptr, length) == 0)
2898
            keep = PNG_HANDLE_CHUNK_NEVER;
2899
      }
2900

2901
      else
2902
         png_crc_finish(png_ptr, length);
2903
   }
2904
#  else
2905
#     ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2906
#        error no method to support READ_UNKNOWN_CHUNKS
2907
#     endif
2908

2909
   {
2910
      /* If here there is no read callback pointer set and no support is
2911
       * compiled in to just save the unknown chunks, so simply skip this
2912
       * chunk.  If 'keep' is something other than AS_DEFAULT or NEVER then
2913
       * the app has erroneously asked for unknown chunk saving when there
2914
       * is no support.
2915
       */
2916
      if (keep > PNG_HANDLE_CHUNK_NEVER)
2917
         png_app_error(png_ptr, "no unknown chunk support available");
2918

2919
      png_crc_finish(png_ptr, length);
2920
   }
2921
#  endif
2922

2923
#  ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
2924
   /* Now store the chunk in the chunk list if appropriate, and if the limits
2925
    * permit it.
2926
    */
2927
   if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
2928
      (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2929
       PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2930
   {
2931
#     ifdef PNG_USER_LIMITS_SUPPORTED
2932
      switch (png_ptr->user_chunk_cache_max)
2933
      {
2934
         case 2:
2935
            png_ptr->user_chunk_cache_max = 1;
2936
            png_chunk_benign_error(png_ptr, "no space in chunk cache");
2937
            /* FALLTHROUGH */
2938
         case 1:
2939
            /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
2940
             * chunk being skipped, now there will be a hard error below.
2941
             */
2942
            break;
2943

2944
         default: /* not at limit */
2945
            --(png_ptr->user_chunk_cache_max);
2946
            /* FALLTHROUGH */
2947
         case 0: /* no limit */
2948
#  endif /* USER_LIMITS */
2949
            /* Here when the limit isn't reached or when limits are compiled
2950
             * out; store the chunk.
2951
             */
2952
            png_set_unknown_chunks(png_ptr, info_ptr,
2953
                &png_ptr->unknown_chunk, 1);
2954
            handled = handled_saved;
2955
#  ifdef PNG_USER_LIMITS_SUPPORTED
2956
            break;
2957
      }
2958
#  endif
2959
   }
2960
#  else /* no store support: the chunk must be handled by the user callback */
2961
   PNG_UNUSED(info_ptr)
2962
#  endif
2963

2964
   /* Regardless of the error handling below the cached data (if any) can be
2965
    * freed now.  Notice that the data is not freed if there is a png_error, but
2966
    * it will be freed by destroy_read_struct.
2967
    */
2968
   if (png_ptr->unknown_chunk.data != NULL)
2969
      png_free(png_ptr, png_ptr->unknown_chunk.data);
2970
   png_ptr->unknown_chunk.data = NULL;
2971

2972
#else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
2973
   /* There is no support to read an unknown chunk, so just skip it. */
2974
   png_crc_finish(png_ptr, length);
2975
   PNG_UNUSED(info_ptr)
2976
   PNG_UNUSED(keep)
2977
#endif /* !READ_UNKNOWN_CHUNKS */
2978

2979
   /* Check for unhandled critical chunks */
2980
   if (handled < handled_saved && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
2981
      png_chunk_error(png_ptr, "unhandled critical chunk");
2982

2983
   return handled;
2984
}
2985

2986
/* APNG handling: the minimal implementation of APNG handling in libpng 1.6
2987
 * requires that those significant applications which already handle APNG not
2988
 * get hosed.  To do this ensure the code here will have to ensure than APNG
2989
 * data by default (at least in 1.6) gets stored in the unknown chunk list.
2990
 * Maybe this can be relaxed in a few years but at present it's just the only
2991
 * safe way.
2992
 *
2993
 * ATM just cause unknown handling for all three chunks:
2994
 */
2995
#define png_handle_acTL NULL
2996
#define png_handle_fcTL NULL
2997
#define png_handle_fdAT NULL
2998

2999
/*
3000
 * 1.6.47: This is the new table driven interface to all the chunk handling.
3001
 *
3002
 * The table describes the PNG standard rules for **reading** known chunks -
3003
 * every chunk which has an entry in PNG_KNOWN_CHUNKS.  The table contains an
3004
 * entry for each PNG_INDEX_cHNK describing the rules.
3005
 *
3006
 * In this initial version the only information in the entry is the
3007
 * png_handle_cHNK function for the chunk in question.  When chunk support is
3008
 * compiled out the entry will be NULL.
3009
 */
3010
static const struct
3011
{
3012
   png_handle_result_code (*handler)(
3013
         png_structrp, png_inforp, png_uint_32 length);
3014
      /* A chunk-specific 'handler', NULL if the chunk is not supported in this
3015
       * build.
3016
       */
3017

3018
   /* Crushing these values helps on modern 32-bit architectures because the
3019
    * pointer and the following bit fields both end up requiring 32 bits.
3020
    * Typically this will halve the table size.  On 64-bit architectures the
3021
    * table entries will typically be 8 bytes.
3022
    */
3023
   png_uint_32 max_length :12; /* Length min, max in bytes */
3024
   png_uint_32 min_length :8;
3025
      /* Length errors on critical chunks have special handling to preserve the
3026
       * existing behaviour in libpng 1.6.  Anciallary chunks are checked below
3027
       * and produce a 'benign' error.
3028
       */
3029
   png_uint_32 pos_before :4; /* PNG_HAVE_ values chunk must precede */
3030
   png_uint_32 pos_after  :4; /* PNG_HAVE_ values chunk must follow */
3031
      /* NOTE: PLTE, tRNS and bKGD require special handling which depends on
3032
       * the colour type of the base image.
3033
       */
3034
   png_uint_32 multiple   :1; /* Multiple occurences permitted */
3035
      /* This is enabled for PLTE because PLTE may, in practice, be optional */
3036
}
3037
read_chunks[PNG_INDEX_unknown] =
3038
{
3039
   /* Definitions as above but done indirectly by #define so that
3040
    * PNG_KNOWN_CHUNKS can be used safely to build the table in order.
3041
    *
3042
    * Each CDcHNK definition lists the values for the parameters **after**
3043
    * the first, 'handler', function.  'handler' is NULL when the chunk has no
3044
    * compiled in support.
3045
    */
3046
#  define NoCheck 0x801U      /* Do not check the maximum length */
3047
#  define Limit   0x802U      /* Limit to png_chunk_max bytes */
3048
#  define LKMin   3U+LZ77Min  /* Minimum length of keyword+LZ77 */
3049

3050
#define hIHDR PNG_HAVE_IHDR
3051
#define hPLTE PNG_HAVE_PLTE
3052
#define hIDAT PNG_HAVE_IDAT
3053
   /* For the two chunks, tRNS and bKGD which can occur in PNGs without a PLTE
3054
    * but must occur after the PLTE use this and put the check in the handler
3055
    * routine for colour mapped images were PLTE is required.  Also put a check
3056
    * in PLTE for other image types to drop the PLTE if tRNS or bKGD have been
3057
    * seen.
3058
    */
3059
#define hCOL  (PNG_HAVE_PLTE|PNG_HAVE_IDAT)
3060
   /* Used for the decoding chunks which must be before PLTE. */
3061
#define aIDAT PNG_AFTER_IDAT
3062

3063
   /* Chunks from W3C PNG v3: */
3064
   /*       cHNK  max_len,   min, before, after, multiple */
3065
#  define CDIHDR      13U,   13U,  hIHDR,     0,        0
3066
#  define CDPLTE  NoCheck,    0U,      0, hIHDR,        1
3067
      /* PLTE errors are only critical for colour-map images, consequently the
3068
       * hander does all the checks.
3069
       */
3070
#  define CDIDAT  NoCheck,    0U,  aIDAT, hIHDR,        1
3071
#  define CDIEND  NoCheck,    0U,      0, aIDAT,        0
3072
      /* Historically data was allowed in IEND */
3073
#  define CDtRNS     256U,    0U,  hIDAT, hIHDR,        0
3074
#  define CDcHRM      32U,   32U,   hCOL, hIHDR,        0
3075
#  define CDgAMA       4U,    4U,   hCOL, hIHDR,        0
3076
#  define CDiCCP  NoCheck, LKMin,   hCOL, hIHDR,        0
3077
#  define CDsBIT       4U,    1U,   hCOL, hIHDR,        0
3078
#  define CDsRGB       1U,    1U,   hCOL, hIHDR,        0
3079
#  define CDcICP       4U,    4U,   hCOL, hIHDR,        0
3080
#  define CDmDCV      24U,   24U,   hCOL, hIHDR,        0
3081
#  define CDeXIf    Limit,    4U,      0, hIHDR,        0
3082
#  define CDcLLI       8U,    8U,   hCOL, hIHDR,        0
3083
#  define CDtEXt  NoCheck,    2U,      0, hIHDR,        1
3084
      /* Allocates 'length+1'; checked in the handler */
3085
#  define CDzTXt    Limit, LKMin,      0, hIHDR,        1
3086
#  define CDiTXt  NoCheck,    6U,      0, hIHDR,        1
3087
      /* Allocates 'length+1'; checked in the handler */
3088
#  define CDbKGD       6U,    1U,  hIDAT, hIHDR,        0
3089
#  define CDhIST    1024U,    0U,  hPLTE, hIHDR,        0
3090
#  define CDpHYs       9U,    9U,  hIDAT, hIHDR,        0
3091
#  define CDsPLT  NoCheck,    3U,  hIDAT, hIHDR,        1
3092
      /* Allocates 'length+1'; checked in the handler */
3093
#  define CDtIME       7U,    7U,      0, hIHDR,        0
3094
#  define CDacTL       8U,    8U,  hIDAT, hIHDR,        0
3095
#  define CDfcTL      25U,   26U,      0, hIHDR,        1
3096
#  define CDfdAT    Limit,    4U,  hIDAT, hIHDR,        1
3097
   /* Supported chunks from PNG extensions 1.5.0, NYI so limit */
3098
#  define CDoFFs       9U,    9U,  hIDAT, hIHDR,        0
3099
#  define CDpCAL  NoCheck,   14U,  hIDAT, hIHDR,        0
3100
      /* Allocates 'length+1'; checked in the handler */
3101
#  define CDsCAL    Limit,    4U,  hIDAT, hIHDR,        0
3102
      /* Allocates 'length+1'; checked in the handler */
3103

3104
#  define PNG_CHUNK(cHNK, index) { png_handle_ ## cHNK, CD ## cHNK },
3105
   PNG_KNOWN_CHUNKS
3106
#  undef PNG_CHUNK
3107
};
3108

3109

3110
static png_index
3111
png_chunk_index_from_name(png_uint_32 chunk_name)
3112
{
3113
   /* For chunk png_cHNK return PNG_INDEX_cHNK.  Return PNG_INDEX_unknown if
3114
    * chunk_name is not known.  Notice that in a particular build "known" does
3115
    * not necessarily mean "supported", although the inverse applies.
3116
    */
3117
   switch (chunk_name)
3118
   {
3119
#     define PNG_CHUNK(cHNK, index)\
3120
         case png_ ## cHNK: return PNG_INDEX_ ## cHNK; /* == index */
3121

3122
      PNG_KNOWN_CHUNKS
3123

3124
#     undef PNG_CHUNK
3125

3126
      default: return PNG_INDEX_unknown;
3127
   }
3128
}
3129

3130
png_handle_result_code /*PRIVATE*/
3131
png_handle_chunk(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
3132
{
3133
   /* CSE: these things don't change, these autos are just to save typing and
3134
    * make the code more clear.
3135
    */
3136
   const png_uint_32 chunk_name = png_ptr->chunk_name;
3137
   const png_index chunk_index = png_chunk_index_from_name(chunk_name);
3138

3139
   png_handle_result_code handled = handled_error;
3140
   png_const_charp errmsg = NULL;
3141

3142
   /* Is this a known chunk?  If not there are no checks performed here;
3143
    * png_handle_unknown does the correct checks.  This means that the values
3144
    * for known but unsupported chunks in the above table are not used here
3145
    * however the chunks_seen fields in png_struct are still set.
3146
    */
3147
   if (chunk_index == PNG_INDEX_unknown ||
3148
       read_chunks[chunk_index].handler == NULL)
3149
   {
3150
      handled = png_handle_unknown(
3151
            png_ptr, info_ptr, length, PNG_HANDLE_CHUNK_AS_DEFAULT);
3152
   }
3153

3154
   /* First check the position.   The first check is historical; the stream must
3155
    * start with IHDR and anything else causes libpng to give up immediately.
3156
    */
3157
   else if (chunk_index != PNG_INDEX_IHDR &&
3158
            (png_ptr->mode & PNG_HAVE_IHDR) == 0)
3159
      png_chunk_error(png_ptr, "missing IHDR"); /* NORETURN */
3160

3161
   /* Before all the pos_before chunks, after all the pos_after chunks. */
3162
   else if (((png_ptr->mode & read_chunks[chunk_index].pos_before) != 0) ||
3163
            ((png_ptr->mode & read_chunks[chunk_index].pos_after) !=
3164
             read_chunks[chunk_index].pos_after))
3165
   {
3166
      errmsg = "out of place";
3167
   }
3168

3169
   /* Now check for duplicates: duplicated critical chunks also produce a
3170
    * full error.
3171
    */
3172
   else if (read_chunks[chunk_index].multiple == 0 &&
3173
            png_file_has_chunk(png_ptr, chunk_index))
3174
   {
3175
      errmsg = "duplicate";
3176
   }
3177

3178
   else if (length < read_chunks[chunk_index].min_length)
3179
      errmsg = "too short";
3180
   else
3181
   {
3182
      /* NOTE: apart from IHDR the critical chunks (PLTE, IDAT and IEND) are set
3183
       * up above not to do any length checks.
3184
       *
3185
       * The png_chunk_max check ensures that the variable length chunks are
3186
       * always checked at this point for being within the system allocation
3187
       * limits.
3188
       */
3189
      unsigned max_length = read_chunks[chunk_index].max_length;
3190

3191
      switch (max_length)
3192
      {
3193
         case Limit:
3194
            /* png_read_chunk_header has already png_error'ed chunks with a
3195
             * length exceeding the 31-bit PNG limit, so just check the memory
3196
             * limit:
3197
             */
3198
            if (length <= png_chunk_max(png_ptr))
3199
               goto MeetsLimit;
3200

3201
            errmsg = "length exceeds libpng limit";
3202
            break;
3203

3204
         default:
3205
            if (length <= max_length)
3206
               goto MeetsLimit;
3207

3208
            errmsg = "too long";
3209
            break;
3210

3211
         case NoCheck:
3212
         MeetsLimit:
3213
            handled = read_chunks[chunk_index].handler(
3214
                  png_ptr, info_ptr, length);
3215
            break;
3216
      }
3217
   }
3218

3219
   /* If there was an error or the chunk was simply skipped it is not counted as
3220
    * 'seen'.
3221
    */
3222
   if (errmsg != NULL)
3223
   {
3224
      if (PNG_CHUNK_CRITICAL(chunk_name)) /* stop immediately */
3225
         png_chunk_error(png_ptr, errmsg);
3226
      else /* ancillary chunk */
3227
      {
3228
         /* The chunk data is skipped: */
3229
         png_crc_finish(png_ptr, length);
3230
         png_chunk_benign_error(png_ptr, errmsg);
3231
      }
3232
   }
3233

3234
   else if (handled >= handled_saved)
3235
   {
3236
      if (chunk_index != PNG_INDEX_unknown)
3237
         png_file_add_chunk(png_ptr, chunk_index);
3238
   }
3239

3240
   return handled;
3241
}
3242

3243
/* Combines the row recently read in with the existing pixels in the row.  This
3244
 * routine takes care of alpha and transparency if requested.  This routine also
3245
 * handles the two methods of progressive display of interlaced images,
3246
 * depending on the 'display' value; if 'display' is true then the whole row
3247
 * (dp) is filled from the start by replicating the available pixels.  If
3248
 * 'display' is false only those pixels present in the pass are filled in.
3249
 */
3250
void /* PRIVATE */
3251
png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
3252
{
3253
   unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
3254
   png_const_bytep sp = png_ptr->row_buf + 1;
3255
   png_alloc_size_t row_width = png_ptr->width;
3256
   unsigned int pass = png_ptr->pass;
3257
   png_bytep end_ptr = 0;
3258
   png_byte end_byte = 0;
3259
   unsigned int end_mask;
3260

3261
   png_debug(1, "in png_combine_row");
3262

3263
   /* Added in 1.5.6: it should not be possible to enter this routine until at
3264
    * least one row has been read from the PNG data and transformed.
3265
    */
3266
   if (pixel_depth == 0)
3267
      png_error(png_ptr, "internal row logic error");
3268

3269
   /* Added in 1.5.4: the pixel depth should match the information returned by
3270
    * any call to png_read_update_info at this point.  Do not continue if we got
3271
    * this wrong.
3272
    */
3273
   if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
3274
          PNG_ROWBYTES(pixel_depth, row_width))
3275
      png_error(png_ptr, "internal row size calculation error");
3276

3277
   /* Don't expect this to ever happen: */
3278
   if (row_width == 0)
3279
      png_error(png_ptr, "internal row width error");
3280

3281
   /* Preserve the last byte in cases where only part of it will be overwritten,
3282
    * the multiply below may overflow, we don't care because ANSI-C guarantees
3283
    * we get the low bits.
3284
    */
3285
   end_mask = (pixel_depth * row_width) & 7;
3286
   if (end_mask != 0)
3287
   {
3288
      /* end_ptr == NULL is a flag to say do nothing */
3289
      end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
3290
      end_byte = *end_ptr;
3291
#     ifdef PNG_READ_PACKSWAP_SUPPORTED
3292
      if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3293
         /* little-endian byte */
3294
         end_mask = (unsigned int)(0xff << end_mask);
3295

3296
      else /* big-endian byte */
3297
#     endif
3298
      end_mask = 0xff >> end_mask;
3299
      /* end_mask is now the bits to *keep* from the destination row */
3300
   }
3301

3302
   /* For non-interlaced images this reduces to a memcpy(). A memcpy()
3303
    * will also happen if interlacing isn't supported or if the application
3304
    * does not call png_set_interlace_handling().  In the latter cases the
3305
    * caller just gets a sequence of the unexpanded rows from each interlace
3306
    * pass.
3307
    */
3308
#ifdef PNG_READ_INTERLACING_SUPPORTED
3309
   if (png_ptr->interlaced != 0 &&
3310
       (png_ptr->transformations & PNG_INTERLACE) != 0 &&
3311
       pass < 6 && (display == 0 ||
3312
       /* The following copies everything for 'display' on passes 0, 2 and 4. */
3313
       (display == 1 && (pass & 1) != 0)))
3314
   {
3315
      /* Narrow images may have no bits in a pass; the caller should handle
3316
       * this, but this test is cheap:
3317
       */
3318
      if (row_width <= PNG_PASS_START_COL(pass))
3319
         return;
3320

3321
      if (pixel_depth < 8)
3322
      {
3323
         /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
3324
          * into 32 bits, then a single loop over the bytes using the four byte
3325
          * values in the 32-bit mask can be used.  For the 'display' option the
3326
          * expanded mask may also not require any masking within a byte.  To
3327
          * make this work the PACKSWAP option must be taken into account - it
3328
          * simply requires the pixels to be reversed in each byte.
3329
          *
3330
          * The 'regular' case requires a mask for each of the first 6 passes,
3331
          * the 'display' case does a copy for the even passes in the range
3332
          * 0..6.  This has already been handled in the test above.
3333
          *
3334
          * The masks are arranged as four bytes with the first byte to use in
3335
          * the lowest bits (little-endian) regardless of the order (PACKSWAP or
3336
          * not) of the pixels in each byte.
3337
          *
3338
          * NOTE: the whole of this logic depends on the caller of this function
3339
          * only calling it on rows appropriate to the pass.  This function only
3340
          * understands the 'x' logic; the 'y' logic is handled by the caller.
3341
          *
3342
          * The following defines allow generation of compile time constant bit
3343
          * masks for each pixel depth and each possibility of swapped or not
3344
          * swapped bytes.  Pass 'p' is in the range 0..6; 'x', a pixel index,
3345
          * is in the range 0..7; and the result is 1 if the pixel is to be
3346
          * copied in the pass, 0 if not.  'S' is for the sparkle method, 'B'
3347
          * for the block method.
3348
          *
3349
          * With some compilers a compile time expression of the general form:
3350
          *
3351
          *    (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3352
          *
3353
          * Produces warnings with values of 'shift' in the range 33 to 63
3354
          * because the right hand side of the ?: expression is evaluated by
3355
          * the compiler even though it isn't used.  Microsoft Visual C (various
3356
          * versions) and the Intel C compiler are known to do this.  To avoid
3357
          * this the following macros are used in 1.5.6.  This is a temporary
3358
          * solution to avoid destabilizing the code during the release process.
3359
          */
3360
#        if PNG_USE_COMPILE_TIME_MASKS
3361
#           define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3362
#           define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3363
#        else
3364
#           define PNG_LSR(x,s) ((x)>>(s))
3365
#           define PNG_LSL(x,s) ((x)<<(s))
3366
#        endif
3367
#        define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3368
           PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3369
#        define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3370
           PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3371

3372
         /* Return a mask for pass 'p' pixel 'x' at depth 'd'.  The mask is
3373
          * little endian - the first pixel is at bit 0 - however the extra
3374
          * parameter 's' can be set to cause the mask position to be swapped
3375
          * within each byte, to match the PNG format.  This is done by XOR of
3376
          * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3377
          */
3378
#        define PIXEL_MASK(p,x,d,s) \
3379
            (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3380

3381
         /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
3382
          */
3383
#        define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3384
#        define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3385

3386
         /* Combine 8 of these to get the full mask.  For the 1-bpp and 2-bpp
3387
          * cases the result needs replicating, for the 4-bpp case the above
3388
          * generates a full 32 bits.
3389
          */
3390
#        define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3391

3392
#        define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3393
            S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3394
            S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3395

3396
#        define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3397
            B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3398
            B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3399

3400
#if PNG_USE_COMPILE_TIME_MASKS
3401
         /* Utility macros to construct all the masks for a depth/swap
3402
          * combination.  The 's' parameter says whether the format is PNG
3403
          * (big endian bytes) or not.  Only the three odd-numbered passes are
3404
          * required for the display/block algorithm.
3405
          */
3406
#        define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3407
            S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3408

3409
#        define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) }
3410

3411
#        define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3412

3413
         /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
3414
          * then pass:
3415
          */
3416
         static const png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] =
3417
         {
3418
            /* Little-endian byte masks for PACKSWAP */
3419
            { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
3420
            /* Normal (big-endian byte) masks - PNG format */
3421
            { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
3422
         };
3423

3424
         /* display_mask has only three entries for the odd passes, so index by
3425
          * pass>>1.
3426
          */
3427
         static const png_uint_32 display_mask[2][3][3] =
3428
         {
3429
            /* Little-endian byte masks for PACKSWAP */
3430
            { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
3431
            /* Normal (big-endian byte) masks - PNG format */
3432
            { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
3433
         };
3434

3435
#        define MASK(pass,depth,display,png)\
3436
            ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3437
               row_mask[png][DEPTH_INDEX(depth)][pass])
3438

3439
#else /* !PNG_USE_COMPILE_TIME_MASKS */
3440
         /* This is the runtime alternative: it seems unlikely that this will
3441
          * ever be either smaller or faster than the compile time approach.
3442
          */
3443
#        define MASK(pass,depth,display,png)\
3444
            ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3445
#endif /* !USE_COMPILE_TIME_MASKS */
3446

3447
         /* Use the appropriate mask to copy the required bits.  In some cases
3448
          * the byte mask will be 0 or 0xff; optimize these cases.  row_width is
3449
          * the number of pixels, but the code copies bytes, so it is necessary
3450
          * to special case the end.
3451
          */
3452
         png_uint_32 pixels_per_byte = 8 / pixel_depth;
3453
         png_uint_32 mask;
3454

3455
#        ifdef PNG_READ_PACKSWAP_SUPPORTED
3456
         if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
3457
            mask = MASK(pass, pixel_depth, display, 0);
3458

3459
         else
3460
#        endif
3461
         mask = MASK(pass, pixel_depth, display, 1);
3462

3463
         for (;;)
3464
         {
3465
            png_uint_32 m;
3466

3467
            /* It doesn't matter in the following if png_uint_32 has more than
3468
             * 32 bits because the high bits always match those in m<<24; it is,
3469
             * however, essential to use OR here, not +, because of this.
3470
             */
3471
            m = mask;
3472
            mask = (m >> 8) | (m << 24); /* rotate right to good compilers */
3473
            m &= 0xff;
3474

3475
            if (m != 0) /* something to copy */
3476
            {
3477
               if (m != 0xff)
3478
                  *dp = (png_byte)((*dp & ~m) | (*sp & m));
3479
               else
3480
                  *dp = *sp;
3481
            }
3482

3483
            /* NOTE: this may overwrite the last byte with garbage if the image
3484
             * is not an exact number of bytes wide; libpng has always done
3485
             * this.
3486
             */
3487
            if (row_width <= pixels_per_byte)
3488
               break; /* May need to restore part of the last byte */
3489

3490
            row_width -= pixels_per_byte;
3491
            ++dp;
3492
            ++sp;
3493
         }
3494
      }
3495

3496
      else /* pixel_depth >= 8 */
3497
      {
3498
         unsigned int bytes_to_copy, bytes_to_jump;
3499

3500
         /* Validate the depth - it must be a multiple of 8 */
3501
         if (pixel_depth & 7)
3502
            png_error(png_ptr, "invalid user transform pixel depth");
3503

3504
         pixel_depth >>= 3; /* now in bytes */
3505
         row_width *= pixel_depth;
3506

3507
         /* Regardless of pass number the Adam 7 interlace always results in a
3508
          * fixed number of pixels to copy then to skip.  There may be a
3509
          * different number of pixels to skip at the start though.
3510
          */
3511
         {
3512
            unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
3513

3514
            row_width -= offset;
3515
            dp += offset;
3516
            sp += offset;
3517
         }
3518

3519
         /* Work out the bytes to copy. */
3520
         if (display != 0)
3521
         {
3522
            /* When doing the 'block' algorithm the pixel in the pass gets
3523
             * replicated to adjacent pixels.  This is why the even (0,2,4,6)
3524
             * passes are skipped above - the entire expanded row is copied.
3525
             */
3526
            bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
3527

3528
            /* But don't allow this number to exceed the actual row width. */
3529
            if (bytes_to_copy > row_width)
3530
               bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3531
         }
3532

3533
         else /* normal row; Adam7 only ever gives us one pixel to copy. */
3534
            bytes_to_copy = pixel_depth;
3535

3536
         /* In Adam7 there is a constant offset between where the pixels go. */
3537
         bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
3538

3539
         /* And simply copy these bytes.  Some optimization is possible here,
3540
          * depending on the value of 'bytes_to_copy'.  Special case the low
3541
          * byte counts, which we know to be frequent.
3542
          *
3543
          * Notice that these cases all 'return' rather than 'break' - this
3544
          * avoids an unnecessary test on whether to restore the last byte
3545
          * below.
3546
          */
3547
         switch (bytes_to_copy)
3548
         {
3549
            case 1:
3550
               for (;;)
3551
               {
3552
                  *dp = *sp;
3553

3554
                  if (row_width <= bytes_to_jump)
3555
                     return;
3556

3557
                  dp += bytes_to_jump;
3558
                  sp += bytes_to_jump;
3559
                  row_width -= bytes_to_jump;
3560
               }
3561

3562
            case 2:
3563
               /* There is a possibility of a partial copy at the end here; this
3564
                * slows the code down somewhat.
3565
                */
3566
               do
3567
               {
3568
                  dp[0] = sp[0]; dp[1] = sp[1];
3569

3570
                  if (row_width <= bytes_to_jump)
3571
                     return;
3572

3573
                  sp += bytes_to_jump;
3574
                  dp += bytes_to_jump;
3575
                  row_width -= bytes_to_jump;
3576
               }
3577
               while (row_width > 1);
3578

3579
               /* And there can only be one byte left at this point: */
3580
               *dp = *sp;
3581
               return;
3582

3583
            case 3:
3584
               /* This can only be the RGB case, so each copy is exactly one
3585
                * pixel and it is not necessary to check for a partial copy.
3586
                */
3587
               for (;;)
3588
               {
3589
                  dp[0] = sp[0]; dp[1] = sp[1]; dp[2] = sp[2];
3590

3591
                  if (row_width <= bytes_to_jump)
3592
                     return;
3593

3594
                  sp += bytes_to_jump;
3595
                  dp += bytes_to_jump;
3596
                  row_width -= bytes_to_jump;
3597
               }
3598

3599
            default:
3600
#if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3601
               /* Check for double byte alignment and, if possible, use a
3602
                * 16-bit copy.  Don't attempt this for narrow images - ones that
3603
                * are less than an interlace panel wide.  Don't attempt it for
3604
                * wide bytes_to_copy either - use the memcpy there.
3605
                */
3606
               if (bytes_to_copy < 16 /*else use memcpy*/ &&
3607
                   png_isaligned(dp, png_uint_16) &&
3608
                   png_isaligned(sp, png_uint_16) &&
3609
                   bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
3610
                   bytes_to_jump % (sizeof (png_uint_16)) == 0)
3611
               {
3612
                  /* Everything is aligned for png_uint_16 copies, but try for
3613
                   * png_uint_32 first.
3614
                   */
3615
                  if (png_isaligned(dp, png_uint_32) &&
3616
                      png_isaligned(sp, png_uint_32) &&
3617
                      bytes_to_copy % (sizeof (png_uint_32)) == 0 &&
3618
                      bytes_to_jump % (sizeof (png_uint_32)) == 0)
3619
                  {
3620
                     png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
3621
                     png_const_uint_32p sp32 = png_aligncastconst(
3622
                         png_const_uint_32p, sp);
3623
                     size_t skip = (bytes_to_jump-bytes_to_copy) /
3624
                         (sizeof (png_uint_32));
3625

3626
                     do
3627
                     {
3628
                        size_t c = bytes_to_copy;
3629
                        do
3630
                        {
3631
                           *dp32++ = *sp32++;
3632
                           c -= (sizeof (png_uint_32));
3633
                        }
3634
                        while (c > 0);
3635

3636
                        if (row_width <= bytes_to_jump)
3637
                           return;
3638

3639
                        dp32 += skip;
3640
                        sp32 += skip;
3641
                        row_width -= bytes_to_jump;
3642
                     }
3643
                     while (bytes_to_copy <= row_width);
3644

3645
                     /* Get to here when the row_width truncates the final copy.
3646
                      * There will be 1-3 bytes left to copy, so don't try the
3647
                      * 16-bit loop below.
3648
                      */
3649
                     dp = (png_bytep)dp32;
3650
                     sp = (png_const_bytep)sp32;
3651
                     do
3652
                        *dp++ = *sp++;
3653
                     while (--row_width > 0);
3654
                     return;
3655
                  }
3656

3657
                  /* Else do it in 16-bit quantities, but only if the size is
3658
                   * not too large.
3659
                   */
3660
                  else
3661
                  {
3662
                     png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
3663
                     png_const_uint_16p sp16 = png_aligncastconst(
3664
                        png_const_uint_16p, sp);
3665
                     size_t skip = (bytes_to_jump-bytes_to_copy) /
3666
                        (sizeof (png_uint_16));
3667

3668
                     do
3669
                     {
3670
                        size_t c = bytes_to_copy;
3671
                        do
3672
                        {
3673
                           *dp16++ = *sp16++;
3674
                           c -= (sizeof (png_uint_16));
3675
                        }
3676
                        while (c > 0);
3677

3678
                        if (row_width <= bytes_to_jump)
3679
                           return;
3680

3681
                        dp16 += skip;
3682
                        sp16 += skip;
3683
                        row_width -= bytes_to_jump;
3684
                     }
3685
                     while (bytes_to_copy <= row_width);
3686

3687
                     /* End of row - 1 byte left, bytes_to_copy > row_width: */
3688
                     dp = (png_bytep)dp16;
3689
                     sp = (png_const_bytep)sp16;
3690
                     do
3691
                        *dp++ = *sp++;
3692
                     while (--row_width > 0);
3693
                     return;
3694
                  }
3695
               }
3696
#endif /* ALIGN_TYPE code */
3697

3698
               /* The true default - use a memcpy: */
3699
               for (;;)
3700
               {
3701
                  memcpy(dp, sp, bytes_to_copy);
3702

3703
                  if (row_width <= bytes_to_jump)
3704
                     return;
3705

3706
                  sp += bytes_to_jump;
3707
                  dp += bytes_to_jump;
3708
                  row_width -= bytes_to_jump;
3709
                  if (bytes_to_copy > row_width)
3710
                     bytes_to_copy = (unsigned int)/*SAFE*/row_width;
3711
               }
3712
         }
3713

3714
         /* NOT REACHED*/
3715
      } /* pixel_depth >= 8 */
3716

3717
      /* Here if pixel_depth < 8 to check 'end_ptr' below. */
3718
   }
3719
   else
3720
#endif /* READ_INTERLACING */
3721

3722
   /* If here then the switch above wasn't used so just memcpy the whole row
3723
    * from the temporary row buffer (notice that this overwrites the end of the
3724
    * destination row if it is a partial byte.)
3725
    */
3726
   memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
3727

3728
   /* Restore the overwritten bits from the last byte if necessary. */
3729
   if (end_ptr != NULL)
3730
      *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask));
3731
}
3732

3733
#ifdef PNG_READ_INTERLACING_SUPPORTED
3734
void /* PRIVATE */
3735
png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3736
    png_uint_32 transformations /* Because these may affect the byte layout */)
3737
{
3738
   png_debug(1, "in png_do_read_interlace");
3739
   if (row != NULL && row_info != NULL)
3740
   {
3741
      png_uint_32 final_width;
3742

3743
      final_width = row_info->width * png_pass_inc[pass];
3744

3745
      switch (row_info->pixel_depth)
3746
      {
3747
         case 1:
3748
         {
3749
            png_bytep sp = row + (size_t)((row_info->width - 1) >> 3);
3750
            png_bytep dp = row + (size_t)((final_width - 1) >> 3);
3751
            unsigned int sshift, dshift;
3752
            unsigned int s_start, s_end;
3753
            int s_inc;
3754
            int jstop = (int)png_pass_inc[pass];
3755
            png_byte v;
3756
            png_uint_32 i;
3757
            int j;
3758

3759
#ifdef PNG_READ_PACKSWAP_SUPPORTED
3760
            if ((transformations & PNG_PACKSWAP) != 0)
3761
            {
3762
                sshift = ((row_info->width + 7) & 0x07);
3763
                dshift = ((final_width + 7) & 0x07);
3764
                s_start = 7;
3765
                s_end = 0;
3766
                s_inc = -1;
3767
            }
3768

3769
            else
3770
#endif
3771
            {
3772
                sshift = 7 - ((row_info->width + 7) & 0x07);
3773
                dshift = 7 - ((final_width + 7) & 0x07);
3774
                s_start = 0;
3775
                s_end = 7;
3776
                s_inc = 1;
3777
            }
3778

3779
            for (i = 0; i < row_info->width; i++)
3780
            {
3781
               v = (png_byte)((*sp >> sshift) & 0x01);
3782
               for (j = 0; j < jstop; j++)
3783
               {
3784
                  unsigned int tmp = *dp & (0x7f7f >> (7 - dshift));
3785
                  tmp |= (unsigned int)(v << dshift);
3786
                  *dp = (png_byte)(tmp & 0xff);
3787

3788
                  if (dshift == s_end)
3789
                  {
3790
                     dshift = s_start;
3791
                     dp--;
3792
                  }
3793

3794
                  else
3795
                     dshift = (unsigned int)((int)dshift + s_inc);
3796
               }
3797

3798
               if (sshift == s_end)
3799
               {
3800
                  sshift = s_start;
3801
                  sp--;
3802
               }
3803

3804
               else
3805
                  sshift = (unsigned int)((int)sshift + s_inc);
3806
            }
3807
            break;
3808
         }
3809

3810
         case 2:
3811
         {
3812
            png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
3813
            png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
3814
            unsigned int sshift, dshift;
3815
            unsigned int s_start, s_end;
3816
            int s_inc;
3817
            int jstop = (int)png_pass_inc[pass];
3818
            png_uint_32 i;
3819

3820
#ifdef PNG_READ_PACKSWAP_SUPPORTED
3821
            if ((transformations & PNG_PACKSWAP) != 0)
3822
            {
3823
               sshift = (((row_info->width + 3) & 0x03) << 1);
3824
               dshift = (((final_width + 3) & 0x03) << 1);
3825
               s_start = 6;
3826
               s_end = 0;
3827
               s_inc = -2;
3828
            }
3829

3830
            else
3831
#endif
3832
            {
3833
               sshift = ((3 - ((row_info->width + 3) & 0x03)) << 1);
3834
               dshift = ((3 - ((final_width + 3) & 0x03)) << 1);
3835
               s_start = 0;
3836
               s_end = 6;
3837
               s_inc = 2;
3838
            }
3839

3840
            for (i = 0; i < row_info->width; i++)
3841
            {
3842
               png_byte v;
3843
               int j;
3844

3845
               v = (png_byte)((*sp >> sshift) & 0x03);
3846
               for (j = 0; j < jstop; j++)
3847
               {
3848
                  unsigned int tmp = *dp & (0x3f3f >> (6 - dshift));
3849
                  tmp |= (unsigned int)(v << dshift);
3850
                  *dp = (png_byte)(tmp & 0xff);
3851

3852
                  if (dshift == s_end)
3853
                  {
3854
                     dshift = s_start;
3855
                     dp--;
3856
                  }
3857

3858
                  else
3859
                     dshift = (unsigned int)((int)dshift + s_inc);
3860
               }
3861

3862
               if (sshift == s_end)
3863
               {
3864
                  sshift = s_start;
3865
                  sp--;
3866
               }
3867

3868
               else
3869
                  sshift = (unsigned int)((int)sshift + s_inc);
3870
            }
3871
            break;
3872
         }
3873

3874
         case 4:
3875
         {
3876
            png_bytep sp = row + (size_t)((row_info->width - 1) >> 1);
3877
            png_bytep dp = row + (size_t)((final_width - 1) >> 1);
3878
            unsigned int sshift, dshift;
3879
            unsigned int s_start, s_end;
3880
            int s_inc;
3881
            png_uint_32 i;
3882
            int jstop = (int)png_pass_inc[pass];
3883

3884
#ifdef PNG_READ_PACKSWAP_SUPPORTED
3885
            if ((transformations & PNG_PACKSWAP) != 0)
3886
            {
3887
               sshift = (((row_info->width + 1) & 0x01) << 2);
3888
               dshift = (((final_width + 1) & 0x01) << 2);
3889
               s_start = 4;
3890
               s_end = 0;
3891
               s_inc = -4;
3892
            }
3893

3894
            else
3895
#endif
3896
            {
3897
               sshift = ((1 - ((row_info->width + 1) & 0x01)) << 2);
3898
               dshift = ((1 - ((final_width + 1) & 0x01)) << 2);
3899
               s_start = 0;
3900
               s_end = 4;
3901
               s_inc = 4;
3902
            }
3903

3904
            for (i = 0; i < row_info->width; i++)
3905
            {
3906
               png_byte v = (png_byte)((*sp >> sshift) & 0x0f);
3907
               int j;
3908

3909
               for (j = 0; j < jstop; j++)
3910
               {
3911
                  unsigned int tmp = *dp & (0xf0f >> (4 - dshift));
3912
                  tmp |= (unsigned int)(v << dshift);
3913
                  *dp = (png_byte)(tmp & 0xff);
3914

3915
                  if (dshift == s_end)
3916
                  {
3917
                     dshift = s_start;
3918
                     dp--;
3919
                  }
3920

3921
                  else
3922
                     dshift = (unsigned int)((int)dshift + s_inc);
3923
               }
3924

3925
               if (sshift == s_end)
3926
               {
3927
                  sshift = s_start;
3928
                  sp--;
3929
               }
3930

3931
               else
3932
                  sshift = (unsigned int)((int)sshift + s_inc);
3933
            }
3934
            break;
3935
         }
3936

3937
         default:
3938
         {
3939
            size_t pixel_bytes = (row_info->pixel_depth >> 3);
3940

3941
            png_bytep sp = row + (size_t)(row_info->width - 1)
3942
                * pixel_bytes;
3943

3944
            png_bytep dp = row + (size_t)(final_width - 1) * pixel_bytes;
3945

3946
            int jstop = (int)png_pass_inc[pass];
3947
            png_uint_32 i;
3948

3949
            for (i = 0; i < row_info->width; i++)
3950
            {
3951
               png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */
3952
               int j;
3953

3954
               memcpy(v, sp, pixel_bytes);
3955

3956
               for (j = 0; j < jstop; j++)
3957
               {
3958
                  memcpy(dp, v, pixel_bytes);
3959
                  dp -= pixel_bytes;
3960
               }
3961

3962
               sp -= pixel_bytes;
3963
            }
3964
            break;
3965
         }
3966
      }
3967

3968
      row_info->width = final_width;
3969
      row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
3970
   }
3971
#ifndef PNG_READ_PACKSWAP_SUPPORTED
3972
   PNG_UNUSED(transformations)  /* Silence compiler warning */
3973
#endif
3974
}
3975
#endif /* READ_INTERLACING */
3976

3977
static void
3978
png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
3979
    png_const_bytep prev_row)
3980
{
3981
   size_t i;
3982
   size_t istop = row_info->rowbytes;
3983
   unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
3984
   png_bytep rp = row + bpp;
3985

3986
   PNG_UNUSED(prev_row)
3987

3988
   for (i = bpp; i < istop; i++)
3989
   {
3990
      *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff);
3991
      rp++;
3992
   }
3993
}
3994

3995
static void
3996
png_read_filter_row_up(png_row_infop row_info, png_bytep row,
3997
    png_const_bytep prev_row)
3998
{
3999
   size_t i;
4000
   size_t istop = row_info->rowbytes;
4001
   png_bytep rp = row;
4002
   png_const_bytep pp = prev_row;
4003

4004
   for (i = 0; i < istop; i++)
4005
   {
4006
      *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
4007
      rp++;
4008
   }
4009
}
4010

4011
static void
4012
png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
4013
    png_const_bytep prev_row)
4014
{
4015
   size_t i;
4016
   png_bytep rp = row;
4017
   png_const_bytep pp = prev_row;
4018
   unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
4019
   size_t istop = row_info->rowbytes - bpp;
4020

4021
   for (i = 0; i < bpp; i++)
4022
   {
4023
      *rp = (png_byte)(((int)(*rp) +
4024
         ((int)(*pp++) / 2 )) & 0xff);
4025

4026
      rp++;
4027
   }
4028

4029
   for (i = 0; i < istop; i++)
4030
   {
4031
      *rp = (png_byte)(((int)(*rp) +
4032
         (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff);
4033

4034
      rp++;
4035
   }
4036
}
4037

4038
static void
4039
png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
4040
    png_const_bytep prev_row)
4041
{
4042
   png_bytep rp_end = row + row_info->rowbytes;
4043
   int a, c;
4044

4045
   /* First pixel/byte */
4046
   c = *prev_row++;
4047
   a = *row + c;
4048
   *row++ = (png_byte)a;
4049

4050
   /* Remainder */
4051
   while (row < rp_end)
4052
   {
4053
      int b, pa, pb, pc, p;
4054

4055
      a &= 0xff; /* From previous iteration or start */
4056
      b = *prev_row++;
4057

4058
      p = b - c;
4059
      pc = a - c;
4060

4061
#ifdef PNG_USE_ABS
4062
      pa = abs(p);
4063
      pb = abs(pc);
4064
      pc = abs(p + pc);
4065
#else
4066
      pa = p < 0 ? -p : p;
4067
      pb = pc < 0 ? -pc : pc;
4068
      pc = (p + pc) < 0 ? -(p + pc) : p + pc;
4069
#endif
4070

4071
      /* Find the best predictor, the least of pa, pb, pc favoring the earlier
4072
       * ones in the case of a tie.
4073
       */
4074
      if (pb < pa)
4075
      {
4076
         pa = pb; a = b;
4077
      }
4078
      if (pc < pa) a = c;
4079

4080
      /* Calculate the current pixel in a, and move the previous row pixel to c
4081
       * for the next time round the loop
4082
       */
4083
      c = b;
4084
      a += *row;
4085
      *row++ = (png_byte)a;
4086
   }
4087
}
4088

4089
static void
4090
png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
4091
    png_const_bytep prev_row)
4092
{
4093
   unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
4094
   png_bytep rp_end = row + bpp;
4095

4096
   /* Process the first pixel in the row completely (this is the same as 'up'
4097
    * because there is only one candidate predictor for the first row).
4098
    */
4099
   while (row < rp_end)
4100
   {
4101
      int a = *row + *prev_row++;
4102
      *row++ = (png_byte)a;
4103
   }
4104

4105
   /* Remainder */
4106
   rp_end = rp_end + (row_info->rowbytes - bpp);
4107

4108
   while (row < rp_end)
4109
   {
4110
      int a, b, c, pa, pb, pc, p;
4111

4112
      c = *(prev_row - bpp);
4113
      a = *(row - bpp);
4114
      b = *prev_row++;
4115

4116
      p = b - c;
4117
      pc = a - c;
4118

4119
#ifdef PNG_USE_ABS
4120
      pa = abs(p);
4121
      pb = abs(pc);
4122
      pc = abs(p + pc);
4123
#else
4124
      pa = p < 0 ? -p : p;
4125
      pb = pc < 0 ? -pc : pc;
4126
      pc = (p + pc) < 0 ? -(p + pc) : p + pc;
4127
#endif
4128

4129
      if (pb < pa)
4130
      {
4131
         pa = pb; a = b;
4132
      }
4133
      if (pc < pa) a = c;
4134

4135
      a += *row;
4136
      *row++ = (png_byte)a;
4137
   }
4138
}
4139

4140
static void
4141
png_init_filter_functions(png_structrp pp)
4142
   /* This function is called once for every PNG image (except for PNG images
4143
    * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
4144
    * implementations required to reverse the filtering of PNG rows.  Reversing
4145
    * the filter is the first transformation performed on the row data.  It is
4146
    * performed in place, therefore an implementation can be selected based on
4147
    * the image pixel format.  If the implementation depends on image width then
4148
    * take care to ensure that it works correctly if the image is interlaced -
4149
    * interlacing causes the actual row width to vary.
4150
    */
4151
{
4152
   unsigned int bpp = (pp->pixel_depth + 7) >> 3;
4153

4154
   pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub;
4155
   pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
4156
   pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
4157
   if (bpp == 1)
4158
      pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
4159
         png_read_filter_row_paeth_1byte_pixel;
4160
   else
4161
      pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
4162
         png_read_filter_row_paeth_multibyte_pixel;
4163

4164
#ifdef PNG_FILTER_OPTIMIZATIONS
4165
   /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
4166
    * call to install hardware optimizations for the above functions; simply
4167
    * replace whatever elements of the pp->read_filter[] array with a hardware
4168
    * specific (or, for that matter, generic) optimization.
4169
    *
4170
    * To see an example of this examine what configure.ac does when
4171
    * --enable-arm-neon is specified on the command line.
4172
    */
4173
   PNG_FILTER_OPTIMIZATIONS(pp, bpp);
4174
#endif
4175
}
4176

4177
void /* PRIVATE */
4178
png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
4179
    png_const_bytep prev_row, int filter)
4180
{
4181
   /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
4182
    * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
4183
    * implementations.  See png_init_filter_functions above.
4184
    */
4185
   if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
4186
   {
4187
      if (pp->read_filter[0] == NULL)
4188
         png_init_filter_functions(pp);
4189

4190
      pp->read_filter[filter-1](row_info, row, prev_row);
4191
   }
4192
}
4193

4194
#ifdef PNG_SEQUENTIAL_READ_SUPPORTED
4195
void /* PRIVATE */
4196
png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
4197
    png_alloc_size_t avail_out)
4198
{
4199
   /* Loop reading IDATs and decompressing the result into output[avail_out] */
4200
   png_ptr->zstream.next_out = output;
4201
   png_ptr->zstream.avail_out = 0; /* safety: set below */
4202

4203
   if (output == NULL)
4204
      avail_out = 0;
4205

4206
   do
4207
   {
4208
      int ret;
4209
      png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
4210

4211
      if (png_ptr->zstream.avail_in == 0)
4212
      {
4213
         uInt avail_in;
4214
         png_bytep buffer;
4215

4216
         while (png_ptr->idat_size == 0)
4217
         {
4218
            png_crc_finish(png_ptr, 0);
4219

4220
            png_ptr->idat_size = png_read_chunk_header(png_ptr);
4221
            /* This is an error even in the 'check' case because the code just
4222
             * consumed a non-IDAT header.
4223
             */
4224
            if (png_ptr->chunk_name != png_IDAT)
4225
               png_error(png_ptr, "Not enough image data");
4226
         }
4227

4228
         avail_in = png_ptr->IDAT_read_size;
4229

4230
         if (avail_in > png_chunk_max(png_ptr))
4231
            avail_in = (uInt)/*SAFE*/png_chunk_max(png_ptr);
4232

4233
         if (avail_in > png_ptr->idat_size)
4234
            avail_in = (uInt)png_ptr->idat_size;
4235

4236
         /* A PNG with a gradually increasing IDAT size will defeat this attempt
4237
          * to minimize memory usage by causing lots of re-allocs, but
4238
          * realistically doing IDAT_read_size re-allocs is not likely to be a
4239
          * big problem.
4240
          *
4241
          * An error here corresponds to the system being out of memory.
4242
          */
4243
         buffer = png_read_buffer(png_ptr, avail_in);
4244

4245
         if (buffer == NULL)
4246
            png_chunk_error(png_ptr, "out of memory");
4247

4248
         png_crc_read(png_ptr, buffer, avail_in);
4249
         png_ptr->idat_size -= avail_in;
4250

4251
         png_ptr->zstream.next_in = buffer;
4252
         png_ptr->zstream.avail_in = avail_in;
4253
      }
4254

4255
      /* And set up the output side. */
4256
      if (output != NULL) /* standard read */
4257
      {
4258
         uInt out = ZLIB_IO_MAX;
4259

4260
         if (out > avail_out)
4261
            out = (uInt)avail_out;
4262

4263
         avail_out -= out;
4264
         png_ptr->zstream.avail_out = out;
4265
      }
4266

4267
      else /* after last row, checking for end */
4268
      {
4269
         png_ptr->zstream.next_out = tmpbuf;
4270
         png_ptr->zstream.avail_out = (sizeof tmpbuf);
4271
      }
4272

4273
      /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
4274
       * process.  If the LZ stream is truncated the sequential reader will
4275
       * terminally damage the stream, above, by reading the chunk header of the
4276
       * following chunk (it then exits with png_error).
4277
       *
4278
       * TODO: deal more elegantly with truncated IDAT lists.
4279
       */
4280
      ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH);
4281

4282
      /* Take the unconsumed output back. */
4283
      if (output != NULL)
4284
         avail_out += png_ptr->zstream.avail_out;
4285

4286
      else /* avail_out counts the extra bytes */
4287
         avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
4288

4289
      png_ptr->zstream.avail_out = 0;
4290

4291
      if (ret == Z_STREAM_END)
4292
      {
4293
         /* Do this for safety; we won't read any more into this row. */
4294
         png_ptr->zstream.next_out = NULL;
4295

4296
         png_ptr->mode |= PNG_AFTER_IDAT;
4297
         png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4298

4299
         if (png_ptr->zstream.avail_in > 0 || png_ptr->idat_size > 0)
4300
            png_chunk_benign_error(png_ptr, "Extra compressed data");
4301
         break;
4302
      }
4303

4304
      if (ret != Z_OK)
4305
      {
4306
         png_zstream_error(png_ptr, ret);
4307

4308
         if (output != NULL)
4309
            png_chunk_error(png_ptr, png_ptr->zstream.msg);
4310

4311
         else /* checking */
4312
         {
4313
            png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
4314
            return;
4315
         }
4316
      }
4317
   } while (avail_out > 0);
4318

4319
   if (avail_out > 0)
4320
   {
4321
      /* The stream ended before the image; this is the same as too few IDATs so
4322
       * should be handled the same way.
4323
       */
4324
      if (output != NULL)
4325
         png_error(png_ptr, "Not enough image data");
4326

4327
      else /* the deflate stream contained extra data */
4328
         png_chunk_benign_error(png_ptr, "Too much image data");
4329
   }
4330
}
4331

4332
void /* PRIVATE */
4333
png_read_finish_IDAT(png_structrp png_ptr)
4334
{
4335
   /* We don't need any more data and the stream should have ended, however the
4336
    * LZ end code may actually not have been processed.  In this case we must
4337
    * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4338
    * may still remain to be consumed.
4339
    */
4340
   if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4341
   {
4342
      /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
4343
       * the compressed stream, but the stream may be damaged too, so even after
4344
       * this call we may need to terminate the zstream ownership.
4345
       */
4346
      png_read_IDAT_data(png_ptr, NULL, 0);
4347
      png_ptr->zstream.next_out = NULL; /* safety */
4348

4349
      /* Now clear everything out for safety; the following may not have been
4350
       * done.
4351
       */
4352
      if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
4353
      {
4354
         png_ptr->mode |= PNG_AFTER_IDAT;
4355
         png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
4356
      }
4357
   }
4358

4359
   /* If the zstream has not been released do it now *and* terminate the reading
4360
    * of the final IDAT chunk.
4361
    */
4362
   if (png_ptr->zowner == png_IDAT)
4363
   {
4364
      /* Always do this; the pointers otherwise point into the read buffer. */
4365
      png_ptr->zstream.next_in = NULL;
4366
      png_ptr->zstream.avail_in = 0;
4367

4368
      /* Now we no longer own the zstream. */
4369
      png_ptr->zowner = 0;
4370

4371
      /* The slightly weird semantics of the sequential IDAT reading is that we
4372
       * are always in or at the end of an IDAT chunk, so we always need to do a
4373
       * crc_finish here.  If idat_size is non-zero we also need to read the
4374
       * spurious bytes at the end of the chunk now.
4375
       */
4376
      (void)png_crc_finish(png_ptr, png_ptr->idat_size);
4377
   }
4378
}
4379

4380
void /* PRIVATE */
4381
png_read_finish_row(png_structrp png_ptr)
4382
{
4383
   png_debug(1, "in png_read_finish_row");
4384
   png_ptr->row_number++;
4385
   if (png_ptr->row_number < png_ptr->num_rows)
4386
      return;
4387

4388
   if (png_ptr->interlaced != 0)
4389
   {
4390
      png_ptr->row_number = 0;
4391

4392
      /* TO DO: don't do this if prev_row isn't needed (requires
4393
       * read-ahead of the next row's filter byte.
4394
       */
4395
      memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4396

4397
      do
4398
      {
4399
         png_ptr->pass++;
4400

4401
         if (png_ptr->pass >= 7)
4402
            break;
4403

4404
         png_ptr->iwidth = (png_ptr->width +
4405
            png_pass_inc[png_ptr->pass] - 1 -
4406
            png_pass_start[png_ptr->pass]) /
4407
            png_pass_inc[png_ptr->pass];
4408

4409
         if ((png_ptr->transformations & PNG_INTERLACE) == 0)
4410
         {
4411
            png_ptr->num_rows = (png_ptr->height +
4412
                png_pass_yinc[png_ptr->pass] - 1 -
4413
                png_pass_ystart[png_ptr->pass]) /
4414
                png_pass_yinc[png_ptr->pass];
4415
         }
4416

4417
         else  /* if (png_ptr->transformations & PNG_INTERLACE) */
4418
            break; /* libpng deinterlacing sees every row */
4419

4420
      } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0);
4421

4422
      if (png_ptr->pass < 7)
4423
         return;
4424
   }
4425

4426
   /* Here after at the end of the last row of the last pass. */
4427
   png_read_finish_IDAT(png_ptr);
4428
}
4429
#endif /* SEQUENTIAL_READ */
4430

4431
void /* PRIVATE */
4432
png_read_start_row(png_structrp png_ptr)
4433
{
4434
   unsigned int max_pixel_depth;
4435
   size_t row_bytes;
4436

4437
   png_debug(1, "in png_read_start_row");
4438

4439
#ifdef PNG_READ_TRANSFORMS_SUPPORTED
4440
   png_init_read_transformations(png_ptr);
4441
#endif
4442
   if (png_ptr->interlaced != 0)
4443
   {
4444
      if ((png_ptr->transformations & PNG_INTERLACE) == 0)
4445
         png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
4446
             png_pass_ystart[0]) / png_pass_yinc[0];
4447

4448
      else
4449
         png_ptr->num_rows = png_ptr->height;
4450

4451
      png_ptr->iwidth = (png_ptr->width +
4452
          png_pass_inc[png_ptr->pass] - 1 -
4453
          png_pass_start[png_ptr->pass]) /
4454
          png_pass_inc[png_ptr->pass];
4455
   }
4456

4457
   else
4458
   {
4459
      png_ptr->num_rows = png_ptr->height;
4460
      png_ptr->iwidth = png_ptr->width;
4461
   }
4462

4463
   max_pixel_depth = (unsigned int)png_ptr->pixel_depth;
4464

4465
   /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of
4466
    * calculations to calculate the final pixel depth, then
4467
    * png_do_read_transforms actually does the transforms.  This means that the
4468
    * code which effectively calculates this value is actually repeated in three
4469
    * separate places.  They must all match.  Innocent changes to the order of
4470
    * transformations can and will break libpng in a way that causes memory
4471
    * overwrites.
4472
    *
4473
    * TODO: fix this.
4474
    */
4475
#ifdef PNG_READ_PACK_SUPPORTED
4476
   if ((png_ptr->transformations & PNG_PACK) != 0 && png_ptr->bit_depth < 8)
4477
      max_pixel_depth = 8;
4478
#endif
4479

4480
#ifdef PNG_READ_EXPAND_SUPPORTED
4481
   if ((png_ptr->transformations & PNG_EXPAND) != 0)
4482
   {
4483
      if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4484
      {
4485
         if (png_ptr->num_trans != 0)
4486
            max_pixel_depth = 32;
4487

4488
         else
4489
            max_pixel_depth = 24;
4490
      }
4491

4492
      else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4493
      {
4494
         if (max_pixel_depth < 8)
4495
            max_pixel_depth = 8;
4496

4497
         if (png_ptr->num_trans != 0)
4498
            max_pixel_depth *= 2;
4499
      }
4500

4501
      else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
4502
      {
4503
         if (png_ptr->num_trans != 0)
4504
         {
4505
            max_pixel_depth *= 4;
4506
            max_pixel_depth /= 3;
4507
         }
4508
      }
4509
   }
4510
#endif
4511

4512
#ifdef PNG_READ_EXPAND_16_SUPPORTED
4513
   if ((png_ptr->transformations & PNG_EXPAND_16) != 0)
4514
   {
4515
#  ifdef PNG_READ_EXPAND_SUPPORTED
4516
      /* In fact it is an error if it isn't supported, but checking is
4517
       * the safe way.
4518
       */
4519
      if ((png_ptr->transformations & PNG_EXPAND) != 0)
4520
      {
4521
         if (png_ptr->bit_depth < 16)
4522
            max_pixel_depth *= 2;
4523
      }
4524
      else
4525
#  endif
4526
      png_ptr->transformations &= ~PNG_EXPAND_16;
4527
   }
4528
#endif
4529

4530
#ifdef PNG_READ_FILLER_SUPPORTED
4531
   if ((png_ptr->transformations & (PNG_FILLER)) != 0)
4532
   {
4533
      if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4534
      {
4535
         if (max_pixel_depth <= 8)
4536
            max_pixel_depth = 16;
4537

4538
         else
4539
            max_pixel_depth = 32;
4540
      }
4541

4542
      else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB ||
4543
         png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4544
      {
4545
         if (max_pixel_depth <= 32)
4546
            max_pixel_depth = 32;
4547

4548
         else
4549
            max_pixel_depth = 64;
4550
      }
4551
   }
4552
#endif
4553

4554
#ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
4555
   if ((png_ptr->transformations & PNG_GRAY_TO_RGB) != 0)
4556
   {
4557
      if (
4558
#ifdef PNG_READ_EXPAND_SUPPORTED
4559
          (png_ptr->num_trans != 0 &&
4560
          (png_ptr->transformations & PNG_EXPAND) != 0) ||
4561
#endif
4562
#ifdef PNG_READ_FILLER_SUPPORTED
4563
          (png_ptr->transformations & (PNG_FILLER)) != 0 ||
4564
#endif
4565
          png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
4566
      {
4567
         if (max_pixel_depth <= 16)
4568
            max_pixel_depth = 32;
4569

4570
         else
4571
            max_pixel_depth = 64;
4572
      }
4573

4574
      else
4575
      {
4576
         if (max_pixel_depth <= 8)
4577
         {
4578
            if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4579
               max_pixel_depth = 32;
4580

4581
            else
4582
               max_pixel_depth = 24;
4583
         }
4584

4585
         else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4586
            max_pixel_depth = 64;
4587

4588
         else
4589
            max_pixel_depth = 48;
4590
      }
4591
   }
4592
#endif
4593

4594
#if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
4595
defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
4596
   if ((png_ptr->transformations & PNG_USER_TRANSFORM) != 0)
4597
   {
4598
      unsigned int user_pixel_depth = png_ptr->user_transform_depth *
4599
         png_ptr->user_transform_channels;
4600

4601
      if (user_pixel_depth > max_pixel_depth)
4602
         max_pixel_depth = user_pixel_depth;
4603
   }
4604
#endif
4605

4606
   /* This value is stored in png_struct and double checked in the row read
4607
    * code.
4608
    */
4609
   png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
4610
   png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
4611

4612
   /* Align the width on the next larger 8 pixels.  Mainly used
4613
    * for interlacing
4614
    */
4615
   row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
4616
   /* Calculate the maximum bytes needed, adding a byte and a pixel
4617
    * for safety's sake
4618
    */
4619
   row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
4620
       1 + ((max_pixel_depth + 7) >> 3U);
4621

4622
#ifdef PNG_MAX_MALLOC_64K
4623
   if (row_bytes > (png_uint_32)65536L)
4624
      png_error(png_ptr, "This image requires a row greater than 64KB");
4625
#endif
4626

4627
   if (row_bytes + 48 > png_ptr->old_big_row_buf_size)
4628
   {
4629
      png_free(png_ptr, png_ptr->big_row_buf);
4630
      png_free(png_ptr, png_ptr->big_prev_row);
4631

4632
      if (png_ptr->interlaced != 0)
4633
         png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
4634
             row_bytes + 48);
4635

4636
      else
4637
         png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
4638

4639
      png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
4640

4641
#ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4642
      /* Use 16-byte aligned memory for row_buf with at least 16 bytes
4643
       * of padding before and after row_buf; treat prev_row similarly.
4644
       * NOTE: the alignment is to the start of the pixels, one beyond the start
4645
       * of the buffer, because of the filter byte.  Prior to libpng 1.5.6 this
4646
       * was incorrect; the filter byte was aligned, which had the exact
4647
       * opposite effect of that intended.
4648
       */
4649
      {
4650
         png_bytep temp = png_ptr->big_row_buf + 32;
4651
         size_t extra = (size_t)temp & 0x0f;
4652
         png_ptr->row_buf = temp - extra - 1/*filter byte*/;
4653

4654
         temp = png_ptr->big_prev_row + 32;
4655
         extra = (size_t)temp & 0x0f;
4656
         png_ptr->prev_row = temp - extra - 1/*filter byte*/;
4657
      }
4658
#else
4659
      /* Use 31 bytes of padding before and 17 bytes after row_buf. */
4660
      png_ptr->row_buf = png_ptr->big_row_buf + 31;
4661
      png_ptr->prev_row = png_ptr->big_prev_row + 31;
4662
#endif
4663
      png_ptr->old_big_row_buf_size = row_bytes + 48;
4664
   }
4665

4666
#ifdef PNG_MAX_MALLOC_64K
4667
   if (png_ptr->rowbytes > 65535)
4668
      png_error(png_ptr, "This image requires a row greater than 64KB");
4669

4670
#endif
4671
   if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
4672
      png_error(png_ptr, "Row has too many bytes to allocate in memory");
4673

4674
   memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
4675

4676
   png_debug1(3, "width = %u,", png_ptr->width);
4677
   png_debug1(3, "height = %u,", png_ptr->height);
4678
   png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
4679
   png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
4680
   png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
4681
   png_debug1(3, "irowbytes = %lu",
4682
       (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
4683

4684
   /* The sequential reader needs a buffer for IDAT, but the progressive reader
4685
    * does not, so free the read buffer now regardless; the sequential reader
4686
    * reallocates it on demand.
4687
    */
4688
   if (png_ptr->read_buffer != NULL)
4689
   {
4690
      png_bytep buffer = png_ptr->read_buffer;
4691

4692
      png_ptr->read_buffer_size = 0;
4693
      png_ptr->read_buffer = NULL;
4694
      png_free(png_ptr, buffer);
4695
   }
4696

4697
   /* Finally claim the zstream for the inflate of the IDAT data, use the bits
4698
    * value from the stream (note that this will result in a fatal error if the
4699
    * IDAT stream has a bogus deflate header window_bits value, but this should
4700
    * not be happening any longer!)
4701
    */
4702
   if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
4703
      png_error(png_ptr, png_ptr->zstream.msg);
4704

4705
   png_ptr->flags |= PNG_FLAG_ROW_INIT;
4706
}
4707
#endif /* READ */
4708

4709