src/third-party/libpng/pngpread.c (view raw)
1
2/* pngpread.c - read a png file in push mode
3 *
4 * Last changed in libpng 1.6.17 [March 26, 2015]
5 * Copyright (c) 1998-2015 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14#include "pngpriv.h"
15
16#ifdef PNG_PROGRESSIVE_READ_SUPPORTED
17
18/* Push model modes */
19#define PNG_READ_SIG_MODE 0
20#define PNG_READ_CHUNK_MODE 1
21#define PNG_READ_IDAT_MODE 2
22#define PNG_SKIP_MODE 3
23#define PNG_READ_tEXt_MODE 4
24#define PNG_READ_zTXt_MODE 5
25#define PNG_READ_DONE_MODE 6
26#define PNG_READ_iTXt_MODE 7
27#define PNG_ERROR_MODE 8
28
29#define PNG_PUSH_SAVE_BUFFER_IF_FULL \
30if (png_ptr->push_length + 4 > png_ptr->buffer_size) \
31 { png_push_save_buffer(png_ptr); return; }
32#define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \
33if (png_ptr->buffer_size < N) \
34 { png_push_save_buffer(png_ptr); return; }
35
36void PNGAPI
37png_process_data(png_structrp png_ptr, png_inforp info_ptr,
38 png_bytep buffer, png_size_t buffer_size)
39{
40 if (png_ptr == NULL || info_ptr == NULL)
41 return;
42
43 png_push_restore_buffer(png_ptr, buffer, buffer_size);
44
45 while (png_ptr->buffer_size)
46 {
47 png_process_some_data(png_ptr, info_ptr);
48 }
49}
50
51png_size_t PNGAPI
52png_process_data_pause(png_structrp png_ptr, int save)
53{
54 if (png_ptr != NULL)
55 {
56 /* It's easiest for the caller if we do the save; then the caller doesn't
57 * have to supply the same data again:
58 */
59 if (save != 0)
60 png_push_save_buffer(png_ptr);
61 else
62 {
63 /* This includes any pending saved bytes: */
64 png_size_t remaining = png_ptr->buffer_size;
65 png_ptr->buffer_size = 0;
66
67 /* So subtract the saved buffer size, unless all the data
68 * is actually 'saved', in which case we just return 0
69 */
70 if (png_ptr->save_buffer_size < remaining)
71 return remaining - png_ptr->save_buffer_size;
72 }
73 }
74
75 return 0;
76}
77
78png_uint_32 PNGAPI
79png_process_data_skip(png_structrp png_ptr)
80{
81 png_uint_32 remaining = 0;
82
83 if (png_ptr != NULL && png_ptr->process_mode == PNG_SKIP_MODE &&
84 png_ptr->skip_length > 0)
85 {
86 /* At the end of png_process_data the buffer size must be 0 (see the loop
87 * above) so we can detect a broken call here:
88 */
89 if (png_ptr->buffer_size != 0)
90 png_error(png_ptr,
91 "png_process_data_skip called inside png_process_data");
92
93 /* If is impossible for there to be a saved buffer at this point -
94 * otherwise we could not be in SKIP mode. This will also happen if
95 * png_process_skip is called inside png_process_data (but only very
96 * rarely.)
97 */
98 if (png_ptr->save_buffer_size != 0)
99 png_error(png_ptr, "png_process_data_skip called with saved data");
100
101 remaining = png_ptr->skip_length;
102 png_ptr->skip_length = 0;
103 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
104 }
105
106 return remaining;
107}
108
109/* What we do with the incoming data depends on what we were previously
110 * doing before we ran out of data...
111 */
112void /* PRIVATE */
113png_process_some_data(png_structrp png_ptr, png_inforp info_ptr)
114{
115 if (png_ptr == NULL)
116 return;
117
118 switch (png_ptr->process_mode)
119 {
120 case PNG_READ_SIG_MODE:
121 {
122 png_push_read_sig(png_ptr, info_ptr);
123 break;
124 }
125
126 case PNG_READ_CHUNK_MODE:
127 {
128 png_push_read_chunk(png_ptr, info_ptr);
129 break;
130 }
131
132 case PNG_READ_IDAT_MODE:
133 {
134 png_push_read_IDAT(png_ptr);
135 break;
136 }
137
138 case PNG_SKIP_MODE:
139 {
140 png_push_crc_finish(png_ptr);
141 break;
142 }
143
144 default:
145 {
146 png_ptr->buffer_size = 0;
147 break;
148 }
149 }
150}
151
152/* Read any remaining signature bytes from the stream and compare them with
153 * the correct PNG signature. It is possible that this routine is called
154 * with bytes already read from the signature, either because they have been
155 * checked by the calling application, or because of multiple calls to this
156 * routine.
157 */
158void /* PRIVATE */
159png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr)
160{
161 png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */
162 num_to_check = 8 - num_checked;
163
164 if (png_ptr->buffer_size < num_to_check)
165 {
166 num_to_check = png_ptr->buffer_size;
167 }
168
169 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]),
170 num_to_check);
171 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check);
172
173 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
174 {
175 if (num_checked < 4 &&
176 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
177 png_error(png_ptr, "Not a PNG file");
178
179 else
180 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
181 }
182 else
183 {
184 if (png_ptr->sig_bytes >= 8)
185 {
186 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
187 }
188 }
189}
190
191void /* PRIVATE */
192png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
193{
194 png_uint_32 chunk_name;
195#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
196 int keep; /* unknown handling method */
197#endif
198
199 /* First we make sure we have enough data for the 4-byte chunk name
200 * and the 4-byte chunk length before proceeding with decoding the
201 * chunk data. To fully decode each of these chunks, we also make
202 * sure we have enough data in the buffer for the 4-byte CRC at the
203 * end of every chunk (except IDAT, which is handled separately).
204 */
205 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
206 {
207 png_byte chunk_length[4];
208 png_byte chunk_tag[4];
209
210 PNG_PUSH_SAVE_BUFFER_IF_LT(8)
211 png_push_fill_buffer(png_ptr, chunk_length, 4);
212 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
213 png_reset_crc(png_ptr);
214 png_crc_read(png_ptr, chunk_tag, 4);
215 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
216 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
217 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
218 }
219
220 chunk_name = png_ptr->chunk_name;
221
222 if (chunk_name == png_IDAT)
223 {
224 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
225 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
226
227 /* If we reach an IDAT chunk, this means we have read all of the
228 * header chunks, and we can start reading the image (or if this
229 * is called after the image has been read - we have an error).
230 */
231 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
232 png_error(png_ptr, "Missing IHDR before IDAT");
233
234 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
235 (png_ptr->mode & PNG_HAVE_PLTE) == 0)
236 png_error(png_ptr, "Missing PLTE before IDAT");
237
238 png_ptr->mode |= PNG_HAVE_IDAT;
239 png_ptr->process_mode = PNG_READ_IDAT_MODE;
240
241 if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0)
242 if (png_ptr->push_length == 0)
243 return;
244
245 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0)
246 png_benign_error(png_ptr, "Too many IDATs found");
247 }
248
249 if (chunk_name == png_IHDR)
250 {
251 if (png_ptr->push_length != 13)
252 png_error(png_ptr, "Invalid IHDR length");
253
254 PNG_PUSH_SAVE_BUFFER_IF_FULL
255 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length);
256 }
257
258 else if (chunk_name == png_IEND)
259 {
260 PNG_PUSH_SAVE_BUFFER_IF_FULL
261 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length);
262
263 png_ptr->process_mode = PNG_READ_DONE_MODE;
264 png_push_have_end(png_ptr, info_ptr);
265 }
266
267#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
268 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0)
269 {
270 PNG_PUSH_SAVE_BUFFER_IF_FULL
271 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep);
272
273 if (chunk_name == png_PLTE)
274 png_ptr->mode |= PNG_HAVE_PLTE;
275 }
276#endif
277
278 else if (chunk_name == png_PLTE)
279 {
280 PNG_PUSH_SAVE_BUFFER_IF_FULL
281 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length);
282 }
283
284 else if (chunk_name == png_IDAT)
285 {
286 png_ptr->idat_size = png_ptr->push_length;
287 png_ptr->process_mode = PNG_READ_IDAT_MODE;
288 png_push_have_info(png_ptr, info_ptr);
289 png_ptr->zstream.avail_out =
290 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
291 png_ptr->iwidth) + 1;
292 png_ptr->zstream.next_out = png_ptr->row_buf;
293 return;
294 }
295
296#ifdef PNG_READ_gAMA_SUPPORTED
297 else if (png_ptr->chunk_name == png_gAMA)
298 {
299 PNG_PUSH_SAVE_BUFFER_IF_FULL
300 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length);
301 }
302
303#endif
304#ifdef PNG_READ_sBIT_SUPPORTED
305 else if (png_ptr->chunk_name == png_sBIT)
306 {
307 PNG_PUSH_SAVE_BUFFER_IF_FULL
308 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length);
309 }
310
311#endif
312#ifdef PNG_READ_cHRM_SUPPORTED
313 else if (png_ptr->chunk_name == png_cHRM)
314 {
315 PNG_PUSH_SAVE_BUFFER_IF_FULL
316 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length);
317 }
318
319#endif
320#ifdef PNG_READ_sRGB_SUPPORTED
321 else if (chunk_name == png_sRGB)
322 {
323 PNG_PUSH_SAVE_BUFFER_IF_FULL
324 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length);
325 }
326
327#endif
328#ifdef PNG_READ_iCCP_SUPPORTED
329 else if (png_ptr->chunk_name == png_iCCP)
330 {
331 PNG_PUSH_SAVE_BUFFER_IF_FULL
332 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length);
333 }
334
335#endif
336#ifdef PNG_READ_sPLT_SUPPORTED
337 else if (chunk_name == png_sPLT)
338 {
339 PNG_PUSH_SAVE_BUFFER_IF_FULL
340 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length);
341 }
342
343#endif
344#ifdef PNG_READ_tRNS_SUPPORTED
345 else if (chunk_name == png_tRNS)
346 {
347 PNG_PUSH_SAVE_BUFFER_IF_FULL
348 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length);
349 }
350
351#endif
352#ifdef PNG_READ_bKGD_SUPPORTED
353 else if (chunk_name == png_bKGD)
354 {
355 PNG_PUSH_SAVE_BUFFER_IF_FULL
356 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length);
357 }
358
359#endif
360#ifdef PNG_READ_hIST_SUPPORTED
361 else if (chunk_name == png_hIST)
362 {
363 PNG_PUSH_SAVE_BUFFER_IF_FULL
364 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length);
365 }
366
367#endif
368#ifdef PNG_READ_pHYs_SUPPORTED
369 else if (chunk_name == png_pHYs)
370 {
371 PNG_PUSH_SAVE_BUFFER_IF_FULL
372 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length);
373 }
374
375#endif
376#ifdef PNG_READ_oFFs_SUPPORTED
377 else if (chunk_name == png_oFFs)
378 {
379 PNG_PUSH_SAVE_BUFFER_IF_FULL
380 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length);
381 }
382#endif
383
384#ifdef PNG_READ_pCAL_SUPPORTED
385 else if (chunk_name == png_pCAL)
386 {
387 PNG_PUSH_SAVE_BUFFER_IF_FULL
388 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length);
389 }
390
391#endif
392#ifdef PNG_READ_sCAL_SUPPORTED
393 else if (chunk_name == png_sCAL)
394 {
395 PNG_PUSH_SAVE_BUFFER_IF_FULL
396 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length);
397 }
398
399#endif
400#ifdef PNG_READ_tIME_SUPPORTED
401 else if (chunk_name == png_tIME)
402 {
403 PNG_PUSH_SAVE_BUFFER_IF_FULL
404 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length);
405 }
406
407#endif
408#ifdef PNG_READ_tEXt_SUPPORTED
409 else if (chunk_name == png_tEXt)
410 {
411 PNG_PUSH_SAVE_BUFFER_IF_FULL
412 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length);
413 }
414
415#endif
416#ifdef PNG_READ_zTXt_SUPPORTED
417 else if (chunk_name == png_zTXt)
418 {
419 PNG_PUSH_SAVE_BUFFER_IF_FULL
420 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length);
421 }
422
423#endif
424#ifdef PNG_READ_iTXt_SUPPORTED
425 else if (chunk_name == png_iTXt)
426 {
427 PNG_PUSH_SAVE_BUFFER_IF_FULL
428 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length);
429 }
430#endif
431
432 else
433 {
434 PNG_PUSH_SAVE_BUFFER_IF_FULL
435 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length,
436 PNG_HANDLE_CHUNK_AS_DEFAULT);
437 }
438
439 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
440}
441
442void /* PRIVATE */
443png_push_crc_skip(png_structrp png_ptr, png_uint_32 skip)
444{
445 png_ptr->process_mode = PNG_SKIP_MODE;
446 png_ptr->skip_length = skip;
447}
448
449void /* PRIVATE */
450png_push_crc_finish(png_structrp png_ptr)
451{
452 if (png_ptr->skip_length != 0 && png_ptr->save_buffer_size != 0)
453 {
454 png_size_t save_size = png_ptr->save_buffer_size;
455 png_uint_32 skip_length = png_ptr->skip_length;
456
457 /* We want the smaller of 'skip_length' and 'save_buffer_size', but
458 * they are of different types and we don't know which variable has the
459 * fewest bits. Carefully select the smaller and cast it to the type of
460 * the larger - this cannot overflow. Do not cast in the following test
461 * - it will break on either 16 or 64 bit platforms.
462 */
463 if (skip_length < save_size)
464 save_size = (png_size_t)skip_length;
465
466 else
467 skip_length = (png_uint_32)save_size;
468
469 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
470
471 png_ptr->skip_length -= skip_length;
472 png_ptr->buffer_size -= save_size;
473 png_ptr->save_buffer_size -= save_size;
474 png_ptr->save_buffer_ptr += save_size;
475 }
476 if (png_ptr->skip_length != 0 && png_ptr->current_buffer_size != 0)
477 {
478 png_size_t save_size = png_ptr->current_buffer_size;
479 png_uint_32 skip_length = png_ptr->skip_length;
480
481 /* We want the smaller of 'skip_length' and 'current_buffer_size', here,
482 * the same problem exists as above and the same solution.
483 */
484 if (skip_length < save_size)
485 save_size = (png_size_t)skip_length;
486
487 else
488 skip_length = (png_uint_32)save_size;
489
490 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
491
492 png_ptr->skip_length -= skip_length;
493 png_ptr->buffer_size -= save_size;
494 png_ptr->current_buffer_size -= save_size;
495 png_ptr->current_buffer_ptr += save_size;
496 }
497 if (png_ptr->skip_length == 0)
498 {
499 PNG_PUSH_SAVE_BUFFER_IF_LT(4)
500 png_crc_finish(png_ptr, 0);
501 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
502 }
503}
504
505void PNGCBAPI
506png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length)
507{
508 png_bytep ptr;
509
510 if (png_ptr == NULL)
511 return;
512
513 ptr = buffer;
514 if (png_ptr->save_buffer_size != 0)
515 {
516 png_size_t save_size;
517
518 if (length < png_ptr->save_buffer_size)
519 save_size = length;
520
521 else
522 save_size = png_ptr->save_buffer_size;
523
524 memcpy(ptr, png_ptr->save_buffer_ptr, save_size);
525 length -= save_size;
526 ptr += save_size;
527 png_ptr->buffer_size -= save_size;
528 png_ptr->save_buffer_size -= save_size;
529 png_ptr->save_buffer_ptr += save_size;
530 }
531 if (length != 0 && png_ptr->current_buffer_size != 0)
532 {
533 png_size_t save_size;
534
535 if (length < png_ptr->current_buffer_size)
536 save_size = length;
537
538 else
539 save_size = png_ptr->current_buffer_size;
540
541 memcpy(ptr, png_ptr->current_buffer_ptr, save_size);
542 png_ptr->buffer_size -= save_size;
543 png_ptr->current_buffer_size -= save_size;
544 png_ptr->current_buffer_ptr += save_size;
545 }
546}
547
548void /* PRIVATE */
549png_push_save_buffer(png_structrp png_ptr)
550{
551 if (png_ptr->save_buffer_size != 0)
552 {
553 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer)
554 {
555 png_size_t i, istop;
556 png_bytep sp;
557 png_bytep dp;
558
559 istop = png_ptr->save_buffer_size;
560 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer;
561 i < istop; i++, sp++, dp++)
562 {
563 *dp = *sp;
564 }
565 }
566 }
567 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size >
568 png_ptr->save_buffer_max)
569 {
570 png_size_t new_max;
571 png_bytep old_buffer;
572
573 if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
574 (png_ptr->current_buffer_size + 256))
575 {
576 png_error(png_ptr, "Potential overflow of save_buffer");
577 }
578
579 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
580 old_buffer = png_ptr->save_buffer;
581 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr,
582 (png_size_t)new_max);
583
584 if (png_ptr->save_buffer == NULL)
585 {
586 png_free(png_ptr, old_buffer);
587 old_buffer = NULL;
588 png_error(png_ptr, "Insufficient memory for save_buffer");
589 }
590
591 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
592 png_free(png_ptr, old_buffer);
593 old_buffer = NULL;
594 png_ptr->save_buffer_max = new_max;
595 }
596 if (png_ptr->current_buffer_size)
597 {
598 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size,
599 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size);
600 png_ptr->save_buffer_size += png_ptr->current_buffer_size;
601 png_ptr->current_buffer_size = 0;
602 }
603 png_ptr->save_buffer_ptr = png_ptr->save_buffer;
604 png_ptr->buffer_size = 0;
605}
606
607void /* PRIVATE */
608png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer,
609 png_size_t buffer_length)
610{
611 png_ptr->current_buffer = buffer;
612 png_ptr->current_buffer_size = buffer_length;
613 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size;
614 png_ptr->current_buffer_ptr = png_ptr->current_buffer;
615}
616
617void /* PRIVATE */
618png_push_read_IDAT(png_structrp png_ptr)
619{
620 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0)
621 {
622 png_byte chunk_length[4];
623 png_byte chunk_tag[4];
624
625 /* TODO: this code can be commoned up with the same code in push_read */
626 PNG_PUSH_SAVE_BUFFER_IF_LT(8)
627 png_push_fill_buffer(png_ptr, chunk_length, 4);
628 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
629 png_reset_crc(png_ptr);
630 png_crc_read(png_ptr, chunk_tag, 4);
631 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
632 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
633
634 if (png_ptr->chunk_name != png_IDAT)
635 {
636 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
637
638 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
639 png_error(png_ptr, "Not enough compressed data");
640
641 return;
642 }
643
644 png_ptr->idat_size = png_ptr->push_length;
645 }
646
647 if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0)
648 {
649 png_size_t save_size = png_ptr->save_buffer_size;
650 png_uint_32 idat_size = png_ptr->idat_size;
651
652 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
653 * are of different types and we don't know which variable has the fewest
654 * bits. Carefully select the smaller and cast it to the type of the
655 * larger - this cannot overflow. Do not cast in the following test - it
656 * will break on either 16 or 64 bit platforms.
657 */
658 if (idat_size < save_size)
659 save_size = (png_size_t)idat_size;
660
661 else
662 idat_size = (png_uint_32)save_size;
663
664 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
665
666 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
667
668 png_ptr->idat_size -= idat_size;
669 png_ptr->buffer_size -= save_size;
670 png_ptr->save_buffer_size -= save_size;
671 png_ptr->save_buffer_ptr += save_size;
672 }
673
674 if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0)
675 {
676 png_size_t save_size = png_ptr->current_buffer_size;
677 png_uint_32 idat_size = png_ptr->idat_size;
678
679 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
680 * are of different types and we don't know which variable has the fewest
681 * bits. Carefully select the smaller and cast it to the type of the
682 * larger - this cannot overflow.
683 */
684 if (idat_size < save_size)
685 save_size = (png_size_t)idat_size;
686
687 else
688 idat_size = (png_uint_32)save_size;
689
690 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
691
692 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
693
694 png_ptr->idat_size -= idat_size;
695 png_ptr->buffer_size -= save_size;
696 png_ptr->current_buffer_size -= save_size;
697 png_ptr->current_buffer_ptr += save_size;
698 }
699 if (png_ptr->idat_size == 0)
700 {
701 PNG_PUSH_SAVE_BUFFER_IF_LT(4)
702 png_crc_finish(png_ptr, 0);
703 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
704 png_ptr->mode |= PNG_AFTER_IDAT;
705 png_ptr->zowner = 0;
706 }
707}
708
709void /* PRIVATE */
710png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer,
711 png_size_t buffer_length)
712{
713 /* The caller checks for a non-zero buffer length. */
714 if (!(buffer_length > 0) || buffer == NULL)
715 png_error(png_ptr, "No IDAT data (internal error)");
716
717 /* This routine must process all the data it has been given
718 * before returning, calling the row callback as required to
719 * handle the uncompressed results.
720 */
721 png_ptr->zstream.next_in = buffer;
722 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
723 png_ptr->zstream.avail_in = (uInt)buffer_length;
724
725 /* Keep going until the decompressed data is all processed
726 * or the stream marked as finished.
727 */
728 while (png_ptr->zstream.avail_in > 0 &&
729 (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
730 {
731 int ret;
732
733 /* We have data for zlib, but we must check that zlib
734 * has someplace to put the results. It doesn't matter
735 * if we don't expect any results -- it may be the input
736 * data is just the LZ end code.
737 */
738 if (!(png_ptr->zstream.avail_out > 0))
739 {
740 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */
741 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth,
742 png_ptr->iwidth) + 1);
743
744 png_ptr->zstream.next_out = png_ptr->row_buf;
745 }
746
747 /* Using Z_SYNC_FLUSH here means that an unterminated
748 * LZ stream (a stream with a missing end code) can still
749 * be handled, otherwise (Z_NO_FLUSH) a future zlib
750 * implementation might defer output and therefore
751 * change the current behavior (see comments in inflate.c
752 * for why this doesn't happen at present with zlib 1.2.5).
753 */
754 ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH);
755
756 /* Check for any failure before proceeding. */
757 if (ret != Z_OK && ret != Z_STREAM_END)
758 {
759 /* Terminate the decompression. */
760 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
761 png_ptr->zowner = 0;
762
763 /* This may be a truncated stream (missing or
764 * damaged end code). Treat that as a warning.
765 */
766 if (png_ptr->row_number >= png_ptr->num_rows ||
767 png_ptr->pass > 6)
768 png_warning(png_ptr, "Truncated compressed data in IDAT");
769
770 else
771 png_error(png_ptr, "Decompression error in IDAT");
772
773 /* Skip the check on unprocessed input */
774 return;
775 }
776
777 /* Did inflate output any data? */
778 if (png_ptr->zstream.next_out != png_ptr->row_buf)
779 {
780 /* Is this unexpected data after the last row?
781 * If it is, artificially terminate the LZ output
782 * here.
783 */
784 if (png_ptr->row_number >= png_ptr->num_rows ||
785 png_ptr->pass > 6)
786 {
787 /* Extra data. */
788 png_warning(png_ptr, "Extra compressed data in IDAT");
789 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
790 png_ptr->zowner = 0;
791
792 /* Do no more processing; skip the unprocessed
793 * input check below.
794 */
795 return;
796 }
797
798 /* Do we have a complete row? */
799 if (png_ptr->zstream.avail_out == 0)
800 png_push_process_row(png_ptr);
801 }
802
803 /* And check for the end of the stream. */
804 if (ret == Z_STREAM_END)
805 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
806 }
807
808 /* All the data should have been processed, if anything
809 * is left at this point we have bytes of IDAT data
810 * after the zlib end code.
811 */
812 if (png_ptr->zstream.avail_in > 0)
813 png_warning(png_ptr, "Extra compression data in IDAT");
814}
815
816void /* PRIVATE */
817png_push_process_row(png_structrp png_ptr)
818{
819 /* 1.5.6: row_info moved out of png_struct to a local here. */
820 png_row_info row_info;
821
822 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */
823 row_info.color_type = png_ptr->color_type;
824 row_info.bit_depth = png_ptr->bit_depth;
825 row_info.channels = png_ptr->channels;
826 row_info.pixel_depth = png_ptr->pixel_depth;
827 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width);
828
829 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE)
830 {
831 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST)
832 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1,
833 png_ptr->prev_row + 1, png_ptr->row_buf[0]);
834 else
835 png_error(png_ptr, "bad adaptive filter value");
836 }
837
838 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
839 * 1.5.6, while the buffer really is this big in current versions of libpng
840 * it may not be in the future, so this was changed just to copy the
841 * interlaced row count:
842 */
843 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1);
844
845#ifdef PNG_READ_TRANSFORMS_SUPPORTED
846 if (png_ptr->transformations != 0)
847 png_do_read_transformations(png_ptr, &row_info);
848#endif
849
850 /* The transformed pixel depth should match the depth now in row_info. */
851 if (png_ptr->transformed_pixel_depth == 0)
852 {
853 png_ptr->transformed_pixel_depth = row_info.pixel_depth;
854 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth)
855 png_error(png_ptr, "progressive row overflow");
856 }
857
858 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth)
859 png_error(png_ptr, "internal progressive row size calculation error");
860
861
862#ifdef PNG_READ_INTERLACING_SUPPORTED
863 /* Expand interlaced rows to full size */
864 if (png_ptr->interlaced != 0 &&
865 (png_ptr->transformations & PNG_INTERLACE) != 0)
866 {
867 if (png_ptr->pass < 6)
868 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass,
869 png_ptr->transformations);
870
871 switch (png_ptr->pass)
872 {
873 case 0:
874 {
875 int i;
876 for (i = 0; i < 8 && png_ptr->pass == 0; i++)
877 {
878 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
879 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */
880 }
881
882 if (png_ptr->pass == 2) /* Pass 1 might be empty */
883 {
884 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
885 {
886 png_push_have_row(png_ptr, NULL);
887 png_read_push_finish_row(png_ptr);
888 }
889 }
890
891 if (png_ptr->pass == 4 && png_ptr->height <= 4)
892 {
893 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
894 {
895 png_push_have_row(png_ptr, NULL);
896 png_read_push_finish_row(png_ptr);
897 }
898 }
899
900 if (png_ptr->pass == 6 && png_ptr->height <= 4)
901 {
902 png_push_have_row(png_ptr, NULL);
903 png_read_push_finish_row(png_ptr);
904 }
905
906 break;
907 }
908
909 case 1:
910 {
911 int i;
912 for (i = 0; i < 8 && png_ptr->pass == 1; i++)
913 {
914 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
915 png_read_push_finish_row(png_ptr);
916 }
917
918 if (png_ptr->pass == 2) /* Skip top 4 generated rows */
919 {
920 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
921 {
922 png_push_have_row(png_ptr, NULL);
923 png_read_push_finish_row(png_ptr);
924 }
925 }
926
927 break;
928 }
929
930 case 2:
931 {
932 int i;
933
934 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
935 {
936 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
937 png_read_push_finish_row(png_ptr);
938 }
939
940 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
941 {
942 png_push_have_row(png_ptr, NULL);
943 png_read_push_finish_row(png_ptr);
944 }
945
946 if (png_ptr->pass == 4) /* Pass 3 might be empty */
947 {
948 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
949 {
950 png_push_have_row(png_ptr, NULL);
951 png_read_push_finish_row(png_ptr);
952 }
953 }
954
955 break;
956 }
957
958 case 3:
959 {
960 int i;
961
962 for (i = 0; i < 4 && png_ptr->pass == 3; i++)
963 {
964 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
965 png_read_push_finish_row(png_ptr);
966 }
967
968 if (png_ptr->pass == 4) /* Skip top two generated rows */
969 {
970 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
971 {
972 png_push_have_row(png_ptr, NULL);
973 png_read_push_finish_row(png_ptr);
974 }
975 }
976
977 break;
978 }
979
980 case 4:
981 {
982 int i;
983
984 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
985 {
986 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
987 png_read_push_finish_row(png_ptr);
988 }
989
990 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
991 {
992 png_push_have_row(png_ptr, NULL);
993 png_read_push_finish_row(png_ptr);
994 }
995
996 if (png_ptr->pass == 6) /* Pass 5 might be empty */
997 {
998 png_push_have_row(png_ptr, NULL);
999 png_read_push_finish_row(png_ptr);
1000 }
1001
1002 break;
1003 }
1004
1005 case 5:
1006 {
1007 int i;
1008
1009 for (i = 0; i < 2 && png_ptr->pass == 5; i++)
1010 {
1011 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1012 png_read_push_finish_row(png_ptr);
1013 }
1014
1015 if (png_ptr->pass == 6) /* Skip top generated row */
1016 {
1017 png_push_have_row(png_ptr, NULL);
1018 png_read_push_finish_row(png_ptr);
1019 }
1020
1021 break;
1022 }
1023
1024 default:
1025 case 6:
1026 {
1027 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1028 png_read_push_finish_row(png_ptr);
1029
1030 if (png_ptr->pass != 6)
1031 break;
1032
1033 png_push_have_row(png_ptr, NULL);
1034 png_read_push_finish_row(png_ptr);
1035 }
1036 }
1037 }
1038 else
1039#endif
1040 {
1041 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1042 png_read_push_finish_row(png_ptr);
1043 }
1044}
1045
1046void /* PRIVATE */
1047png_read_push_finish_row(png_structrp png_ptr)
1048{
1049#ifdef PNG_READ_INTERLACING_SUPPORTED
1050 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
1051
1052 /* Start of interlace block */
1053 static PNG_CONST png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
1054
1055 /* Offset to next interlace block */
1056 static PNG_CONST png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
1057
1058 /* Start of interlace block in the y direction */
1059 static PNG_CONST png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
1060
1061 /* Offset to next interlace block in the y direction */
1062 static PNG_CONST png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
1063
1064 /* Height of interlace block. This is not currently used - if you need
1065 * it, uncomment it here and in png.h
1066 static PNG_CONST png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
1067 */
1068#endif
1069
1070 png_ptr->row_number++;
1071 if (png_ptr->row_number < png_ptr->num_rows)
1072 return;
1073
1074#ifdef PNG_READ_INTERLACING_SUPPORTED
1075 if (png_ptr->interlaced != 0)
1076 {
1077 png_ptr->row_number = 0;
1078 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
1079
1080 do
1081 {
1082 png_ptr->pass++;
1083 if ((png_ptr->pass == 1 && png_ptr->width < 5) ||
1084 (png_ptr->pass == 3 && png_ptr->width < 3) ||
1085 (png_ptr->pass == 5 && png_ptr->width < 2))
1086 png_ptr->pass++;
1087
1088 if (png_ptr->pass > 7)
1089 png_ptr->pass--;
1090
1091 if (png_ptr->pass >= 7)
1092 break;
1093
1094 png_ptr->iwidth = (png_ptr->width +
1095 png_pass_inc[png_ptr->pass] - 1 -
1096 png_pass_start[png_ptr->pass]) /
1097 png_pass_inc[png_ptr->pass];
1098
1099 if ((png_ptr->transformations & PNG_INTERLACE) != 0)
1100 break;
1101
1102 png_ptr->num_rows = (png_ptr->height +
1103 png_pass_yinc[png_ptr->pass] - 1 -
1104 png_pass_ystart[png_ptr->pass]) /
1105 png_pass_yinc[png_ptr->pass];
1106
1107 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0);
1108 }
1109#endif /* READ_INTERLACING */
1110}
1111
1112void /* PRIVATE */
1113png_push_have_info(png_structrp png_ptr, png_inforp info_ptr)
1114{
1115 if (png_ptr->info_fn != NULL)
1116 (*(png_ptr->info_fn))(png_ptr, info_ptr);
1117}
1118
1119void /* PRIVATE */
1120png_push_have_end(png_structrp png_ptr, png_inforp info_ptr)
1121{
1122 if (png_ptr->end_fn != NULL)
1123 (*(png_ptr->end_fn))(png_ptr, info_ptr);
1124}
1125
1126void /* PRIVATE */
1127png_push_have_row(png_structrp png_ptr, png_bytep row)
1128{
1129 if (png_ptr->row_fn != NULL)
1130 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number,
1131 (int)png_ptr->pass);
1132}
1133
1134#ifdef PNG_READ_INTERLACING_SUPPORTED
1135void PNGAPI
1136png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row,
1137 png_const_bytep new_row)
1138{
1139 if (png_ptr == NULL)
1140 return;
1141
1142 /* new_row is a flag here - if it is NULL then the app callback was called
1143 * from an empty row (see the calls to png_struct::row_fn below), otherwise
1144 * it must be png_ptr->row_buf+1
1145 */
1146 if (new_row != NULL)
1147 png_combine_row(png_ptr, old_row, 1/*blocky display*/);
1148}
1149#endif /* READ_INTERLACING */
1150
1151void PNGAPI
1152png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr,
1153 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn,
1154 png_progressive_end_ptr end_fn)
1155{
1156 if (png_ptr == NULL)
1157 return;
1158
1159 png_ptr->info_fn = info_fn;
1160 png_ptr->row_fn = row_fn;
1161 png_ptr->end_fn = end_fn;
1162
1163 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer);
1164}
1165
1166png_voidp PNGAPI
1167png_get_progressive_ptr(png_const_structrp png_ptr)
1168{
1169 if (png_ptr == NULL)
1170 return (NULL);
1171
1172 return png_ptr->io_ptr;
1173}
1174#endif /* PROGRESSIVE_READ */