CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/ext/libpng17/pngerror.c
Views: 1401
1/* pngerror.c - stub functions for i/o and memory allocation2*3* Last changed in libpng 1.7.0 [(PENDING RELEASE)]4* Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson5* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)6* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)7*8* This code is released under the libpng license.9* For conditions of distribution and use, see the disclaimer10* and license in png.h11*12* This file provides a location for all error handling. Users who13* need special error handling are expected to write replacement functions14* and use png_set_error_fn() to use those functions. See the instructions15* at each function.16*/1718#include "pngpriv.h"19#define PNG_SRC_FILE PNG_SRC_FILE_pngerror2021#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)2223static PNG_FUNCTION(void, png_default_error,PNGARG((png_const_structrp png_ptr,24png_const_charp error_message)),PNG_NORETURN);2526#ifdef PNG_WARNINGS_SUPPORTED27static void /* PRIVATE */28png_default_warning PNGARG((png_const_structrp png_ptr,29png_const_charp warning_message));30#endif /* WARNINGS */3132/* This function is called whenever there is a fatal error. This function33* should not be changed. If there is a need to handle errors differently,34* you should supply a replacement error function and use png_set_error_fn()35* to replace the error function at run-time.36*/37#ifdef PNG_ERROR_TEXT_SUPPORTED38PNG_FUNCTION(void,PNGAPI39png_error,(png_const_structrp png_ptr, png_const_charp error_message),40PNG_NORETURN)41{42if (png_ptr != NULL && png_ptr->error_fn != NULL)43(*(png_ptr->error_fn))(png_constcast(png_structrp,png_ptr),44error_message);4546/* If the custom handler doesn't exist, or if it returns,47use the default handler, which will not return. */48png_default_error(png_ptr, error_message);49}50#else51PNG_FUNCTION(void,PNGAPI52png_err,(png_const_structrp png_ptr),PNG_NORETURN)53{54/* Prior to 1.5.2 the error_fn received a NULL pointer, expressed55* erroneously as '\0', instead of the empty string "". This was56* apparently an error, introduced in libpng-1.2.20, and png_default_error57* will crash in this case.58*/59if (png_ptr != NULL && png_ptr->error_fn != NULL)60(*(png_ptr->error_fn))(png_constcast(png_structrp,png_ptr), "");6162/* If the custom handler doesn't exist, or if it returns,63use the default handler, which will not return. */64png_default_error(png_ptr, "");65}66#endif /* ERROR_TEXT */6768/* Utility to safely appends strings to a buffer. This never errors out so69* error checking is not required in the caller.70*/71size_t72png_safecat(png_charp buffer, size_t bufsize, size_t pos,73png_const_charp string)74{75if (buffer != NULL && pos < bufsize)76{77if (string != NULL)78while (*string != '\0' && pos < bufsize-1)79buffer[pos++] = *string++;8081buffer[pos] = '\0';82}8384return pos;85}8687#if defined(PNG_WARNINGS_SUPPORTED) || defined(PNG_TIME_RFC1123_SUPPORTED)88/* Utility to dump an unsigned value into a buffer, given a start pointer and89* and end pointer (which should point just *beyond* the end of the buffer!)90* Returns the pointer to the start of the formatted string.91*/92#define PNG_HAVE_FORMAT_NUMBER /* for the code below */93png_charp94png_format_number(png_const_charp start, png_charp end, int format,95png_alloc_size_t number)96{97int count = 0; /* number of digits output */98int mincount = 1; /* minimum number required */99int output = 0; /* digit output (for the fixed point format) */100101*--end = '\0';102103/* This is written so that the loop always runs at least once, even with104* number zero.105*/106while (end > start && (number != 0 || count < mincount))107{108109static const char digits[] = "0123456789ABCDEF";110111switch (format)112{113case PNG_NUMBER_FORMAT_fixed:114/* Needs five digits (the fraction) */115mincount = 5;116if (output != 0 || number % 10 != 0)117{118*--end = digits[number % 10];119output = 1;120}121number /= 10;122break;123124case PNG_NUMBER_FORMAT_02u:125/* Expects at least 2 digits. */126mincount = 2;127/* FALL THROUGH */128129case PNG_NUMBER_FORMAT_u:130*--end = digits[number % 10];131number /= 10;132break;133134case PNG_NUMBER_FORMAT_02x:135/* This format expects at least two digits */136mincount = 2;137/* FALL THROUGH */138139case PNG_NUMBER_FORMAT_x:140*--end = digits[number & 0xf];141number >>= 4;142break;143144default: /* an error */145number = 0;146break;147}148149/* Keep track of the number of digits added */150++count;151152/* Float a fixed number here: */153if ((format == PNG_NUMBER_FORMAT_fixed) && (count == 5) && (end > start))154{155/* End of the fraction, but maybe nothing was output? In that case156* drop the decimal point. If the number is a true zero handle that157* here.158*/159if (output != 0)160*--end = '.';161else if (number == 0) /* and !output */162*--end = '0';163}164}165166return end;167}168#endif169170#ifdef PNG_WARNINGS_SUPPORTED171/* This function is called whenever there is a non-fatal error. This function172* should not be changed. If there is a need to handle warnings differently,173* you should supply a replacement warning function and use174* png_set_error_fn() to replace the warning function at run-time.175*/176void PNGAPI177png_warning(png_const_structrp png_ptr, png_const_charp warning_message)178{179int offset = 0;180if (png_ptr != NULL && png_ptr->warning_fn != NULL)181(*(png_ptr->warning_fn))(png_constcast(png_structrp,png_ptr),182warning_message + offset);183else184png_default_warning(png_ptr, warning_message + offset);185}186187/* These functions support 'formatted' warning messages with up to188* PNG_WARNING_PARAMETER_COUNT parameters. In the format string the parameter189* is introduced by @<number>, where 'number' starts at 1. This follows the190* standard established by X/Open for internationalizable error messages.191*/192void193png_warning_parameter(png_warning_parameters p, int number,194png_const_charp string)195{196if (number > 0 && number <= PNG_WARNING_PARAMETER_COUNT)197(void)png_safecat(p[number-1], (sizeof p[number-1]), 0, string);198}199200void201png_warning_parameter_unsigned(png_warning_parameters p, int number, int format,202png_alloc_size_t value)203{204char buffer[PNG_NUMBER_BUFFER_SIZE];205png_warning_parameter(p, number, PNG_FORMAT_NUMBER(buffer, format, value));206}207208void209png_warning_parameter_signed(png_warning_parameters p, int number, int format,210png_int_32 value)211{212png_alloc_size_t u;213png_charp str;214char buffer[PNG_NUMBER_BUFFER_SIZE];215216/* Avoid overflow by doing the negate in a png_alloc_size_t: */217u = (png_alloc_size_t)value;218if (value < 0)219u = ~u + 1;220221str = PNG_FORMAT_NUMBER(buffer, format, u);222223if (value < 0 && str > buffer)224*--str = '-';225226png_warning_parameter(p, number, str);227}228229void230png_formatted_warning(png_const_structrp png_ptr, png_warning_parameters p,231png_const_charp message)232{233/* The internal buffer is just 192 bytes - enough for all our messages,234* overflow doesn't happen because this code checks! If someone figures235* out how to send us a message longer than 192 bytes, all that will236* happen is that the message will be truncated appropriately.237*/238size_t i = 0; /* Index in the msg[] buffer: */239char msg[192];240241/* Each iteration through the following loop writes at most one character242* to msg[i++] then returns here to validate that there is still space for243* the trailing '\0'. It may (in the case of a parameter) read more than244* one character from message[]; it must check for '\0' and continue to the245* test if it finds the end of string.246*/247while (i<(sizeof msg)-1 && *message != '\0')248{249/* '@' at end of string is now just printed (previously it was skipped);250* it is an error in the calling code to terminate the string with @.251*/252if (p != NULL && *message == '@' && message[1] != '\0')253{254int parameter_char = *++message; /* Consume the '@' */255static const char valid_parameters[] = "123456789";256int parameter = 0;257258/* Search for the parameter digit, the index in the string is the259* parameter to use.260*/261while (valid_parameters[parameter] != parameter_char &&262valid_parameters[parameter] != '\0')263++parameter;264265/* If the parameter digit is out of range it will just get printed. */266if (parameter < PNG_WARNING_PARAMETER_COUNT)267{268/* Append this parameter */269png_const_charp parm = p[parameter];270png_const_charp pend = p[parameter] + (sizeof p[parameter]);271272/* No need to copy the trailing '\0' here, but there is no guarantee273* that parm[] has been initialized, so there is no guarantee of a274* trailing '\0':275*/276while (i<(sizeof msg)-1 && *parm != '\0' && parm < pend)277msg[i++] = *parm++;278279/* Consume the parameter digit too: */280++message;281continue;282}283284/* else not a parameter and there is a character after the @ sign; just285* copy that. This is known not to be '\0' because of the test above.286*/287}288289/* At this point *message can't be '\0', even in the bad parameter case290* above where there is a lone '@' at the end of the message string.291*/292msg[i++] = *message++;293}294295/* i is always less than (sizeof msg), so: */296msg[i] = '\0';297298/* And this is the formatted message. It may be larger than299* PNG_MAX_ERROR_TEXT, but that is only used for 'chunk' errors and these300* are not (currently) formatted.301*/302png_warning(png_ptr, msg);303}304#endif /* WARNINGS */305306#ifdef PNG_BENIGN_ERRORS_SUPPORTED307void PNGAPI308png_benign_error(png_const_structrp png_ptr, png_const_charp error_message)309{310switch (png_ptr->benign_error_action)311{312case PNG_ERROR:313png_chunk_error(png_ptr, error_message);314break;315316case PNG_WARN:317png_chunk_warning(png_ptr, error_message);318break;319320default: /* PNG_IGNORE */321break;322}323324# ifndef PNG_ERROR_TEXT_SUPPORTED325PNG_UNUSED(error_message)326# endif327}328329static void330app_error(png_const_structrp png_ptr, png_const_charp error_message,331unsigned int error_action)332{333switch (error_action)334{335case PNG_ERROR:336png_error(png_ptr, error_message);337break;338339case PNG_WARN:340png_warning(png_ptr, error_message);341break;342343default: /* PNG_IGNORE */344break;345}346347# ifndef PNG_ERROR_TEXT_SUPPORTED348PNG_UNUSED(error_message)349# endif350}351352void /* PRIVATE */353png_app_warning(png_const_structrp png_ptr, png_const_charp error_message)354{355app_error(png_ptr, error_message, png_ptr->app_warning_action);356}357358void /* PRIVATE */359png_app_error(png_const_structrp png_ptr, png_const_charp error_message)360{361app_error(png_ptr, error_message, png_ptr->app_error_action);362}363#endif /* BENIGN_ERRORS */364365#define PNG_MAX_ERROR_TEXT 196 /* Currently limited by profile_error in png.c */366#if defined(PNG_WARNINGS_SUPPORTED) || \367(defined(PNG_READ_SUPPORTED) && defined(PNG_ERROR_TEXT_SUPPORTED))368/* These utilities are used internally to build an error message that relates369* to the current chunk. The chunk name comes from png_ptr->chunk_name unless370* png_ptr->zowner is set in which case that is used in preference. This is371* used to prefix the message. The message is limited in length to 63 bytes.372* The name characters are output as hex digits wrapped in [] if the character373* is invalid.374*375* Using 'zowner' means that IDAT errors at the end of the IDAT stream are still376* reported as from the IDAT chunks.377*/378#define isnonalpha(c) ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))379static PNG_CONST char png_digit[16] = {380'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',381'A', 'B', 'C', 'D', 'E', 'F'382};383384static void /* PRIVATE */385png_format_buffer(png_const_structrp png_ptr, png_charp buffer, png_const_charp386error_message)387{388png_uint_32 chunk_name = png_ptr->zowner;389int iout = 0, ishift = 24;390391if (chunk_name == 0)392chunk_name = png_ptr->chunk_name;393394while (ishift >= 0)395{396int c = (int)(chunk_name >> ishift) & 0xff;397398ishift -= 8;399if (isnonalpha(c) != 0)400{401buffer[iout++] = PNG_LITERAL_LEFT_SQUARE_BRACKET;402buffer[iout++] = png_digit[(c & 0xf0) >> 4];403buffer[iout++] = png_digit[c & 0x0f];404buffer[iout++] = PNG_LITERAL_RIGHT_SQUARE_BRACKET;405}406407else408{409buffer[iout++] = png_check_char(png_ptr, c);410}411}412413if (error_message == NULL)414buffer[iout] = '\0';415416else417{418int iin = 0;419420buffer[iout++] = ':';421buffer[iout++] = ' ';422423while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')424buffer[iout++] = error_message[iin++];425426/* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */427buffer[iout] = '\0';428}429}430#endif /* WARNINGS || ERROR_TEXT */431432#if defined(PNG_READ_SUPPORTED) && defined(PNG_ERROR_TEXT_SUPPORTED)433PNG_FUNCTION(void,PNGAPI434png_chunk_error,(png_const_structrp png_ptr, png_const_charp error_message),435PNG_NORETURN)436{437char msg[18+PNG_MAX_ERROR_TEXT];438if (png_ptr == NULL || png_ptr->chunk_name == 0U)439png_error(png_ptr, error_message);440441else442{443png_format_buffer(png_ptr, msg, error_message);444png_error(png_ptr, msg);445}446}447#endif /* READ && ERROR_TEXT */448449#ifdef PNG_WARNINGS_SUPPORTED450void PNGAPI451png_chunk_warning(png_const_structrp png_ptr, png_const_charp warning_message)452{453char msg[18+PNG_MAX_ERROR_TEXT];454if (png_ptr == NULL || png_ptr->chunk_name == 0U)455png_warning(png_ptr, warning_message);456457else458{459png_format_buffer(png_ptr, msg, warning_message);460png_warning(png_ptr, msg);461}462}463#endif /* WARNINGS */464465#ifdef PNG_READ_SUPPORTED466#ifdef PNG_BENIGN_ERRORS_SUPPORTED467void PNGAPI468png_chunk_benign_error(png_const_structrp png_ptr, png_const_charp469error_message)470{471switch (png_ptr->benign_error_action)472{473case PNG_ERROR:474png_chunk_error(png_ptr, error_message);475break;476477case PNG_WARN:478png_chunk_warning(png_ptr, error_message);479break;480481default: /* PNG_IGNORE */482break;483}484485# ifndef PNG_ERROR_TEXT_SUPPORTED486PNG_UNUSED(error_message)487# endif488}489#endif /* BENIGN_ERRORS */490#endif /* READ */491492void /* PRIVATE */493(png_chunk_report)(png_const_structrp png_ptr, png_const_charp message,494int error)495{496/* This is always supported, but for just read or just write it497* unconditionally does the right thing.498*/499# if defined(PNG_READ_SUPPORTED) && defined(PNG_WRITE_SUPPORTED)500if (png_ptr->read_struct)501# endif502503# ifdef PNG_READ_SUPPORTED504{505if (error < PNG_CHUNK_ERROR)506png_chunk_warning(png_ptr, message);507508else if (error < PNG_CHUNK_FATAL)509png_chunk_benign_error(png_ptr, message);510511else512png_chunk_error(png_ptr, message);513}514# endif515516# if defined(PNG_READ_SUPPORTED) && defined(PNG_WRITE_SUPPORTED)517else if (!png_ptr->read_struct)518# endif519520# ifdef PNG_WRITE_SUPPORTED521{522if (error < PNG_CHUNK_WRITE_ERROR)523png_app_warning(png_ptr, message);524525else if (error < PNG_CHUNK_FATAL)526png_app_error(png_ptr, message);527528else529png_error(png_ptr, message);530}531# endif532533# ifndef PNG_ERROR_TEXT_SUPPORTED534PNG_UNUSED(message)535# endif536}537538#ifdef PNG_ERROR_TEXT_SUPPORTED539540#if defined(PNG_FLOATING_POINT_SUPPORTED) && \541(defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \542defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \543defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \544(defined(PNG_FLOATING_ARITHMETIC_SUPPORTED) &&\545defined(PNG_sCAL_SUPPORTED))546PNG_FUNCTION(void,547png_fixed_error,(png_const_structrp png_ptr, png_const_charp name),PNG_NORETURN)548{549# define fixed_message "fixed point overflow in "550# define fixed_message_ln ((sizeof fixed_message)-1)551int iin;552char msg[fixed_message_ln+PNG_MAX_ERROR_TEXT];553memcpy(msg, fixed_message, fixed_message_ln);554iin = 0;555if (name != NULL)556while (iin < (PNG_MAX_ERROR_TEXT-1) && name[iin] != 0)557{558msg[fixed_message_ln + iin] = name[iin];559++iin;560}561msg[fixed_message_ln + iin] = 0;562png_error(png_ptr, msg);563}564#endif565#endif566567#ifdef PNG_SETJMP_SUPPORTED568/* This API only exists if ANSI-C style error handling is used,569* otherwise it is necessary for png_default_error to be overridden.570*/571jmp_buf* PNGAPI572png_set_longjmp_fn(png_structrp png_ptr, png_longjmp_ptr longjmp_fn,573size_t jmp_buf_size)574{575/* From libpng 1.6.0 the app gets one chance to set a 'jmpbuf_size' value576* and it must not change after that. Libpng doesn't care how big the577* buffer is, just that it doesn't change.578*579* If the buffer size is no *larger* than the size of jmp_buf when libpng is580* compiled a built in jmp_buf is returned; this preserves the pre-1.6.0581* semantics that this call will not fail. If the size is larger, however,582* the buffer is allocated and this may fail, causing the function to return583* NULL.584*/585if (png_ptr == NULL)586return NULL;587588if (png_ptr->jmp_buf_ptr == NULL)589{590png_ptr->jmp_buf_size = 0; /* not allocated */591592if (jmp_buf_size <= (sizeof png_ptr->jmp_buf_local))593png_ptr->jmp_buf_ptr = &png_ptr->jmp_buf_local;594595else596{597png_ptr->jmp_buf_ptr = png_voidcast(jmp_buf *,598png_malloc_warn(png_ptr, jmp_buf_size));599600if (png_ptr->jmp_buf_ptr == NULL)601return NULL; /* new NULL return on OOM */602603png_ptr->jmp_buf_size = jmp_buf_size;604}605}606607else /* Already allocated: check the size */608{609size_t size = png_ptr->jmp_buf_size;610611if (size == 0)612{613size = (sizeof png_ptr->jmp_buf_local);614if (png_ptr->jmp_buf_ptr != &png_ptr->jmp_buf_local)615{616/* This is an internal error in libpng: somehow we have been left617* with a stack allocated jmp_buf when the application regained618* control. It's always possible to fix this up, but for the moment619* this is an affirm because that makes it easy to detect.620*/621impossible("Libpng jmp_buf still allocated");622/* png_ptr->jmp_buf_ptr = &png_ptr->jmp_buf_local; */623}624}625626if (size != jmp_buf_size)627{628png_warning(png_ptr, "Application jmp_buf size changed");629return NULL; /* caller will probably crash: no choice here */630}631}632633/* Finally fill in the function, now we have a satisfactory buffer. It is634* valid to change the function on every call.635*/636png_ptr->longjmp_fn = longjmp_fn;637return png_ptr->jmp_buf_ptr;638}639640void /* PRIVATE */641png_free_jmpbuf(png_structrp png_ptr)642{643if (png_ptr != NULL)644{645jmp_buf *jb = png_ptr->jmp_buf_ptr;646647/* A size of 0 is used to indicate a local, stack, allocation of the648* pointer; used here and in png.c649*/650if (jb != NULL && png_ptr->jmp_buf_size > 0)651{652653/* This stuff is so that a failure to free the error control structure654* does not leave libpng in a state with no valid error handling: the655* free always succeeds, if there is an error it gets ignored.656*/657if (jb != &png_ptr->jmp_buf_local)658{659/* Make an internal, libpng, jmp_buf to return here */660jmp_buf free_jmp_buf;661662if (!setjmp(free_jmp_buf))663{664png_ptr->jmp_buf_ptr = &free_jmp_buf; /* come back here */665png_ptr->jmp_buf_size = 0; /* stack allocation */666png_ptr->longjmp_fn = longjmp;667png_free(png_ptr, jb); /* Return to setjmp on error */668}669}670}671672/* *Always* cancel everything out: */673png_ptr->jmp_buf_size = 0;674png_ptr->jmp_buf_ptr = NULL;675png_ptr->longjmp_fn = 0;676}677}678#endif679680/* This is the default error handling function. Note that replacements for681* this function MUST NOT RETURN, or the program will likely crash. This682* function is used by default, or if the program supplies NULL for the683* error function pointer in png_set_error_fn().684*/685static PNG_FUNCTION(void /* PRIVATE */,686png_default_error,(png_const_structrp png_ptr, png_const_charp error_message),687PNG_NORETURN)688{689#ifdef PNG_CONSOLE_IO_SUPPORTED690{691fprintf(stderr, "libpng error: %s", error_message ? error_message :692"undefined");693fprintf(stderr, PNG_STRING_NEWLINE);694}695#else696PNG_UNUSED(error_message) /* Make compiler happy */697#endif698png_longjmp(png_ptr, 1);699}700701PNG_FUNCTION(void,PNGAPI702png_longjmp,(png_const_structrp png_ptr, int val),PNG_NORETURN)703{704#ifdef PNG_SETJMP_SUPPORTED705if (png_ptr != NULL && png_ptr->longjmp_fn != NULL &&706png_ptr->jmp_buf_ptr != NULL)707png_ptr->longjmp_fn(*png_ptr->jmp_buf_ptr, val);708#else709PNG_UNUSED(png_ptr)710PNG_UNUSED(val)711#endif712713/* If control reaches this point, png_longjmp() must not return. The only714* choice is to terminate the whole process (or maybe the thread); to do715* this the ANSI-C abort() function is used unless a different method is716* implemented by overriding the default configuration setting for717* PNG_ABORT (see scripts/pnglibconf.dfa).718*719* API change: prior to 1.7.0 PNG_ABORT was invoked as a function type macro720* with no arguments 'PNG_ABORT();', in 1.7.0 this is changed to a simple721* macro that is defined in the configuration.722*/723PNG_ABORT724}725726#ifdef PNG_WARNINGS_SUPPORTED727/* This function is called when there is a warning, but the library thinks728* it can continue anyway. Replacement functions don't have to do anything729* here if you don't want them to. In the default configuration, png_ptr is730* not used, but it is passed in case it may be useful.731*/732static void /* PRIVATE */733png_default_warning(png_const_structrp png_ptr, png_const_charp warning_message)734{735#ifdef PNG_CONSOLE_IO_SUPPORTED736{737fprintf(stderr, "libpng warning: %s", warning_message);738fprintf(stderr, PNG_STRING_NEWLINE);739}740#else741PNG_UNUSED(warning_message) /* Make compiler happy */742#endif743PNG_UNUSED(png_ptr) /* Make compiler happy */744}745#endif /* WARNINGS */746747/* This function is called when the application wants to use another method748* of handling errors and warnings. Note that the error function MUST NOT749* return to the calling routine or serious problems will occur. The return750* method used in the default routine calls longjmp(png_ptr->jmp_buf_ptr, 1)751*/752void PNGAPI753png_set_error_fn(png_structrp png_ptr, png_voidp error_ptr,754png_error_ptr error_fn, png_error_ptr warning_fn)755{756if (png_ptr == NULL)757return;758759png_ptr->error_ptr = error_ptr;760png_ptr->error_fn = error_fn;761#ifdef PNG_WARNINGS_SUPPORTED762png_ptr->warning_fn = warning_fn;763#else764PNG_UNUSED(warning_fn)765#endif766}767768769/* This function returns a pointer to the error_ptr associated with the user770* functions. The application should free any memory associated with this771* pointer before png_write_destroy and png_read_destroy are called.772*/773png_voidp PNGAPI774png_get_error_ptr(png_const_structrp png_ptr)775{776if (png_ptr == NULL)777return NULL;778779return ((png_voidp)png_ptr->error_ptr);780}781782783#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\784defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)785/* Currently the above both depend on SETJMP_SUPPORTED, however it would be786* possible to implement without setjmp support just so long as there is some787* way to handle the error return here:788*/789PNG_FUNCTION(void /* PRIVATE */, (PNGCBAPI790png_safe_error),(png_structp png_nonconst_ptr, png_const_charp error_message),791PNG_NORETURN)792{793const png_const_structrp png_ptr = png_nonconst_ptr;794png_imagep image = png_voidcast(png_imagep, png_ptr->error_ptr);795796/* An error is always logged here, overwriting anything (typically a warning)797* that is already there:798*/799if (image != NULL)800{801png_safecat(image->message, (sizeof image->message), 0, error_message);802image->warning_or_error |= PNG_IMAGE_ERROR;803804/* Retrieve the jmp_buf from within the png_control, making this work for805* C++ compilation too is pretty tricky: C++ wants a pointer to the first806* element of a jmp_buf, but C doesn't tell us the type of that.807*/808if (image->opaque != NULL && image->opaque->error_buf != NULL)809longjmp(png_control_jmp_buf(image->opaque), 1);810811/* Missing longjmp buffer, the following is to help debugging: */812{813size_t pos = png_safecat(image->message, (sizeof image->message), 0,814"bad longjmp: ");815png_safecat(image->message, (sizeof image->message), pos,816error_message);817}818}819820/* Here on an internal programming error. */821abort();822}823824#ifdef PNG_WARNINGS_SUPPORTED825void /* PRIVATE */ PNGCBAPI826png_safe_warning(png_structp png_nonconst_ptr, png_const_charp warning_message)827{828const png_const_structrp png_ptr = png_nonconst_ptr;829png_imagep image = png_voidcast(png_imagep, png_ptr->error_ptr);830831/* A warning is only logged if there is no prior warning or error. */832if (image->warning_or_error == 0)833{834png_safecat(image->message, (sizeof image->message), 0, warning_message);835image->warning_or_error |= PNG_IMAGE_WARNING;836}837}838#endif839840int /* PRIVATE */841png_safe_execute(png_imagep image_in, int (*function)(png_voidp), png_voidp arg)842{843volatile png_imagep image = image_in;844volatile int result;845volatile png_voidp saved_error_buf;846jmp_buf safe_jmpbuf;847848/* Safely execute function(arg) with png_error returning to this function. */849saved_error_buf = image->opaque->error_buf;850result = setjmp(safe_jmpbuf) == 0;851852if (result != 0)853{854855image->opaque->error_buf = safe_jmpbuf;856result = function(arg);857}858859image->opaque->error_buf = saved_error_buf;860861/* And do the cleanup prior to any failure return. */862if (result == 0)863png_image_free(image);864865return result;866}867#endif /* SIMPLIFIED READ || SIMPLIFIED_WRITE */868869/* Affirms: minimal code in 'STABLE' builds to return control to the870* application via png_error(), more verbose code followed by PNG_ABORT for871* all other builds to ensure that internal errors are detected.872*873* The code always produces a message if it is possible, regardless of the874* setting of PNG_ERROR_TEXT_SUPPORTED, except that in stable builds875* PNG_ERROR_TEXT_SUPPORTED is honored. See pngpriv.h for the calculation of876* the two control macros PNG_RELEASE_BUILD (don't abort; stable build or rc)877* and PNG_AFFIRM_TEXT (output text.)878*/879#if PNG_AFFIRM_TEXT880# ifdef PNG_HAVE_FORMAT_NUMBER881static size_t882png_affirm_number(png_charp buffer, size_t bufsize, size_t pos,883unsigned int number, int format)884{885char numbuf[PNG_NUMBER_BUFFER_SIZE];886return png_safecat(buffer, bufsize, pos,887png_format_number(numbuf, numbuf + sizeof numbuf, format, number));888}889# define affirm_number(a,b,c,d,e) png_affirm_number(a,b,c,d,e)890# else /* !HAVE_FORMAT_NUMBER */891static size_t892png_affirm_number(png_charp buffer, size_t bufsize, size_t pos,893unsigned int number)894{895/* binhex it; highly non-portable, assumes the ASCII character set, but896* if warnings are turned off then it is unlikely the text will get read897* anyway. This binhex variant is (48+val), where 'val' is the next 6898* bits of the number, so it starts as '0' (for 0) and ends at 'I' for899* 63. The number is wrapped in {}, so 0 comes out as '{}' and 9 comes900* out as '{9}' and so on.901*/902char numbuf[32];903int i = sizeof numbuf;904905numbuf[--i] = 0;906numbuf[--i] = '}';907908do909{910if (number > 0)911numbuf[--i] = (char)/*SAFE*/((number & 63) + 48), number >>= 6;912else913{914numbuf[--i] = '{';915break;916}917}918while (i > 0);919920return png_safecat(buffer, bufsize, pos, numbuf+i);921}922# define affirm_number(a,b,c,d,e) png_affirm_number(a,b,c,d)923#endif /* !HAVE_FORMAT_NUMBER */924925static void926affirm_text(png_charp buffer, size_t bufsize,927param_deb(png_const_charp condition) unsigned int position)928{929/* Format the 'position' number and output:930*931* "<file> <line>: affirm 'condition' failed\n"932* " libpng version <version> - <date>\n"933* " translated __DATE__ __TIME__"934*935* In the STABLE versions the output is the same for the last two lines936* but the first line becomes:937*938* "<position>: affirm failed"939*940* If there is no number formatting the numbers just get replaced by941* some binhex (see the utility above).942*/943size_t pos = 0;944945# if PNG_RELEASE_BUILD /* no 'condition' parameter: minimal text */946pos = affirm_number(buffer, bufsize, pos, position, PNG_NUMBER_FORMAT_x);947pos = png_safecat(buffer, bufsize, pos, ": affirm failed");948# else /* !STABLE */949/* Break down 'position' into a file name and a line number: */950{951# define PNG_apply(f) { #f "\0", PNG_SRC_FILE_ ## f },952# define PNG_end { "", PNG_SRC_FILE_LAST }953static struct {954char filename[28]; /* GCC checks this size */955unsigned int base;956} fileinfo[] = { PNG_FILES };957# undef PNG_apply958# undef PNG_end959960unsigned int i;961png_const_charp filename;962963/* Do 'nfiles' this way to avoid problems with g++ where it whines964* about (size_t) being larger than (int), even though this is a965* compile time constant:966*/967# define nfiles ((sizeof fileinfo)/(sizeof (fileinfo[0])))968for (i=0; i < nfiles && position > fileinfo[i].base; ++i) {}969970if (i == 0 || i > nfiles)971filename = "UNKNOWN";972else973{974filename = fileinfo[i-1].filename;975position -= fileinfo[i-1].base;976}977# undef nfiles978979pos = png_safecat(buffer, bufsize, pos, filename);980pos = png_safecat(buffer, bufsize, pos, ".c ");981pos = affirm_number(buffer, bufsize, pos, position,982PNG_NUMBER_FORMAT_u);983}984985pos = png_safecat(buffer, bufsize, pos, ": affirm '");986pos = png_safecat(buffer, bufsize, pos, condition);987pos = png_safecat(buffer, bufsize, pos, "' failed\n");988# endif /* !STABLE */989990pos = png_safecat(buffer, bufsize, pos, PNG_HEADER_VERSION_STRING);991pos = png_safecat(buffer, bufsize, pos,992" translated " __DATE__ " " __TIME__);993}994995#define affirm_text(b, c, p)\996do {\997(affirm_text)(b, sizeof b, param_deb(c) (p));\998} while (0)9991000#endif /* AFFIRM_TEXT */10011002PNG_FUNCTION(void,png_affirm,(png_const_structrp png_ptr,1003param_deb(png_const_charp condition) unsigned int position),PNG_NORETURN)1004{1005# if PNG_AFFIRM_TEXT1006char buffer[512];10071008affirm_text(buffer, condition, position);1009# else /* !AFFIRM_TEXT */1010PNG_UNUSED(position)1011# if !PNG_RELEASE_BUILD1012PNG_UNUSED(condition)1013# endif1014# endif /* AFFIRM_TEXT */10151016/* Now in STABLE do a png_error, but in other builds output the message1017* (if possible) then abort (PNG_ABORT).1018*/1019# if PNG_RELEASE_BUILD1020png_error(png_ptr, buffer/*macro parameter used only if ERROR_TEXT*/);1021# else /* !AFFIRM_ERROR */1022/* Use console IO if possible; this is because there is no guarantee that1023* the app 'warning' will output anything. For certain the simplified1024* API implementation just copies the message (truncated) to the image1025* message buffer, which makes debugging much more difficult.1026*1027* Note that it is possible that neither WARNINGS nor CONSOLE_IO are1028* supported; in that case no text will be output (and PNG_AFFIRM_TEXT1029* will be false.)1030*/1031# ifdef PNG_CONSOLE_IO_SUPPORTED1032fprintf(stderr, "%s\n", buffer);1033PNG_UNUSED(png_ptr)1034# elif defined PNG_WARNINGS_SUPPORTED1035if (png_ptr != NULL && png_ptr->warning_fn != NULL)1036png_ptr->warning_fn(png_constcast(png_structrp, png_ptr), buffer);1037/* else no way to output the text */1038# else1039PNG_UNUSED(png_ptr)1040# endif10411042PNG_ABORT1043# endif /* AFFIRM_ERROR */1044}10451046#if !PNG_RELEASE_BUILD1047void /* PRIVATE */1048png_handled_affirm(png_const_structrp png_ptr, png_const_charp message,1049unsigned int position)1050{1051# if PNG_RELEASE_BUILD1052/* testing in RC: we want to return control to the caller, so do not1053* use png_affirm.1054*/1055char buffer[512];10561057affirm_text(buffer, message, position);10581059# ifdef PNG_CONSOLE_IO_SUPPORTED1060fprintf(stderr, "%s\n", buffer);1061# elif defined PNG_WARNINGS_SUPPORTED1062if (png_ptr != NULL && png_ptr->warning_fn != NULL)1063png_ptr->warning_fn(png_constcast(png_structrp, png_ptr), buffer);1064/* else no way to output the text */1065# else1066PNG_UNUSED(png_ptr)1067# endif1068# else1069png_affirm(png_ptr, message, position);1070# endif1071}1072#endif /* !RELEASE_BUILD */10731074#ifdef PNG_RANGE_CHECK_SUPPORTED1075/* The character/byte checking APIs. These do their own calls to png_affirm1076* because the caller provides the position.1077*/1078unsigned int /* PRIVATE */1079png_bit_affirm(png_const_structrp png_ptr, unsigned int position,1080unsigned int u, unsigned int bits)1081{1082/* The following avoids overflow errors even if 'bits' is 16 or 32: */1083if (u <= (1U << bits)-1U)1084return u;10851086png_affirm(png_ptr, param_deb("(bit field) range") position);1087}10881089char /* PRIVATE */1090png_char_affirm(png_const_structrp png_ptr, unsigned int position, int c)1091{1092if (c >= CHAR_MIN && c <= CHAR_MAX)1093return (char)/*SAFE*/c;10941095png_affirm(png_ptr, param_deb("(char) range") position);1096}10971098png_byte /* PRIVATE */1099png_byte_affirm(png_const_structrp png_ptr, unsigned int position, int b)1100{1101/* For the type png_byte the limits.h values are ignored and we check1102* against the values PNG expects to store in a byte:1103*/1104if (b >= 0 && b <= 255)1105return (png_byte)/*SAFE*/b;11061107png_affirm(png_ptr, param_deb("PNG byte range") position);1108}11091110#if INT_MAX >= 655351111png_uint_16 /* PRIVATE */1112png_u16_affirm(png_const_structrp png_ptr, unsigned int position, int b)1113{1114/* Check against the PNG 16-bit limit, as with png_byte. */1115if (b >= 0 && b <= 65535)1116return (png_uint_16)/*SAFE*/b;11171118png_affirm(png_ptr, param_deb("PNG 16-bit range") position);1119}1120#endif /* INT_MAX >= 65535 */1121#endif /* RANGE_CHECK */1122#endif /* READ || WRITE */112311241125