all repos — mgba @ 9de8f084ba55460b02d300c1dd8b8e6c56f691d5

mGBA Game Boy Advance Emulator

src/third-party/libpng/png.c (view raw)

   1
   2/* png.c - location for general purpose libpng functions
   3 *
   4 * Last changed in libpng 1.6.33 [September 28, 2017]
   5 * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
   6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
   7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
   8 *
   9 * This code is released under the libpng license.
  10 * For conditions of distribution and use, see the disclaimer
  11 * and license in png.h
  12 */
  13
  14#include "pngpriv.h"
  15
  16/* Generate a compiler error if there is an old png.h in the search path. */
  17typedef png_libpng_version_1_6_34 Your_png_h_is_not_version_1_6_34;
  18
  19#ifdef __GNUC__
  20/* The version tests may need to be added to, but the problem warning has
  21 * consistently been fixed in GCC versions which obtain wide-spread release.
  22 * The problem is that many versions of GCC rearrange comparison expressions in
  23 * the optimizer in such a way that the results of the comparison will change
  24 * if signed integer overflow occurs.  Such comparisons are not permitted in
  25 * ANSI C90, however GCC isn't clever enough to work out that that do not occur
  26 * below in png_ascii_from_fp and png_muldiv, so it produces a warning with
  27 * -Wextra.  Unfortunately this is highly dependent on the optimizer and the
  28 * machine architecture so the warning comes and goes unpredictably and is
  29 * impossible to "fix", even were that a good idea.
  30 */
  31#if __GNUC__ == 7 && __GNUC_MINOR__ == 1
  32#define GCC_STRICT_OVERFLOW 1
  33#endif /* GNU 7.1.x */
  34#endif /* GNU */
  35#ifndef GCC_STRICT_OVERFLOW
  36#define GCC_STRICT_OVERFLOW 0
  37#endif
  38
  39/* Tells libpng that we have already handled the first "num_bytes" bytes
  40 * of the PNG file signature.  If the PNG data is embedded into another
  41 * stream we can set num_bytes = 8 so that libpng will not attempt to read
  42 * or write any of the magic bytes before it starts on the IHDR.
  43 */
  44
  45#ifdef PNG_READ_SUPPORTED
  46void PNGAPI
  47png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
  48{
  49   unsigned int nb = (unsigned int)num_bytes;
  50
  51   png_debug(1, "in png_set_sig_bytes");
  52
  53   if (png_ptr == NULL)
  54      return;
  55
  56   if (num_bytes < 0)
  57      nb = 0;
  58
  59   if (nb > 8)
  60      png_error(png_ptr, "Too many bytes for PNG signature");
  61
  62   png_ptr->sig_bytes = (png_byte)nb;
  63}
  64
  65/* Checks whether the supplied bytes match the PNG signature.  We allow
  66 * checking less than the full 8-byte signature so that those apps that
  67 * already read the first few bytes of a file to determine the file type
  68 * can simply check the remaining bytes for extra assurance.  Returns
  69 * an integer less than, equal to, or greater than zero if sig is found,
  70 * respectively, to be less than, to match, or be greater than the correct
  71 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
  72 */
  73int PNGAPI
  74png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check)
  75{
  76   png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
  77
  78   if (num_to_check > 8)
  79      num_to_check = 8;
  80
  81   else if (num_to_check < 1)
  82      return (-1);
  83
  84   if (start > 7)
  85      return (-1);
  86
  87   if (start + num_to_check > 8)
  88      num_to_check = 8 - start;
  89
  90   return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
  91}
  92
  93#endif /* READ */
  94
  95#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
  96/* Function to allocate memory for zlib */
  97PNG_FUNCTION(voidpf /* PRIVATE */,
  98png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
  99{
 100   png_alloc_size_t num_bytes = size;
 101
 102   if (png_ptr == NULL)
 103      return NULL;
 104
 105   if (items >= (~(png_alloc_size_t)0)/size)
 106   {
 107      png_warning (png_voidcast(png_structrp, png_ptr),
 108          "Potential overflow in png_zalloc()");
 109      return NULL;
 110   }
 111
 112   num_bytes *= items;
 113   return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
 114}
 115
 116/* Function to free memory for zlib */
 117void /* PRIVATE */
 118png_zfree(voidpf png_ptr, voidpf ptr)
 119{
 120   png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
 121}
 122
 123/* Reset the CRC variable to 32 bits of 1's.  Care must be taken
 124 * in case CRC is > 32 bits to leave the top bits 0.
 125 */
 126void /* PRIVATE */
 127png_reset_crc(png_structrp png_ptr)
 128{
 129   /* The cast is safe because the crc is a 32-bit value. */
 130   png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
 131}
 132
 133/* Calculate the CRC over a section of data.  We can only pass as
 134 * much data to this routine as the largest single buffer size.  We
 135 * also check that this data will actually be used before going to the
 136 * trouble of calculating it.
 137 */
 138void /* PRIVATE */
 139png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length)
 140{
 141   int need_crc = 1;
 142
 143   if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
 144   {
 145      if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
 146          (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
 147         need_crc = 0;
 148   }
 149
 150   else /* critical */
 151   {
 152      if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
 153         need_crc = 0;
 154   }
 155
 156   /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
 157    * systems it is a 64-bit value.  crc32, however, returns 32 bits so the
 158    * following cast is safe.  'uInt' may be no more than 16 bits, so it is
 159    * necessary to perform a loop here.
 160    */
 161   if (need_crc != 0 && length > 0)
 162   {
 163      uLong crc = png_ptr->crc; /* Should never issue a warning */
 164
 165      do
 166      {
 167         uInt safe_length = (uInt)length;
 168#ifndef __COVERITY__
 169         if (safe_length == 0)
 170            safe_length = (uInt)-1; /* evil, but safe */
 171#endif
 172
 173         crc = crc32(crc, ptr, safe_length);
 174
 175         /* The following should never issue compiler warnings; if they do the
 176          * target system has characteristics that will probably violate other
 177          * assumptions within the libpng code.
 178          */
 179         ptr += safe_length;
 180         length -= safe_length;
 181      }
 182      while (length > 0);
 183
 184      /* And the following is always safe because the crc is only 32 bits. */
 185      png_ptr->crc = (png_uint_32)crc;
 186   }
 187}
 188
 189/* Check a user supplied version number, called from both read and write
 190 * functions that create a png_struct.
 191 */
 192int
 193png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
 194{
 195   /* Libpng versions 1.0.0 and later are binary compatible if the version
 196    * string matches through the second '.'; we must recompile any
 197    * applications that use any older library version.
 198    */
 199
 200   if (user_png_ver != NULL)
 201   {
 202      int i = -1;
 203      int found_dots = 0;
 204
 205      do
 206      {
 207         i++;
 208         if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
 209            png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 210         if (user_png_ver[i] == '.')
 211            found_dots++;
 212      } while (found_dots < 2 && user_png_ver[i] != 0 &&
 213            PNG_LIBPNG_VER_STRING[i] != 0);
 214   }
 215
 216   else
 217      png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
 218
 219   if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
 220   {
 221#ifdef PNG_WARNINGS_SUPPORTED
 222      size_t pos = 0;
 223      char m[128];
 224
 225      pos = png_safecat(m, (sizeof m), pos,
 226          "Application built with libpng-");
 227      pos = png_safecat(m, (sizeof m), pos, user_png_ver);
 228      pos = png_safecat(m, (sizeof m), pos, " but running with ");
 229      pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
 230      PNG_UNUSED(pos)
 231
 232      png_warning(png_ptr, m);
 233#endif
 234
 235#ifdef PNG_ERROR_NUMBERS_SUPPORTED
 236      png_ptr->flags = 0;
 237#endif
 238
 239      return 0;
 240   }
 241
 242   /* Success return. */
 243   return 1;
 244}
 245
 246/* Generic function to create a png_struct for either read or write - this
 247 * contains the common initialization.
 248 */
 249PNG_FUNCTION(png_structp /* PRIVATE */,
 250png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
 251    png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
 252    png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
 253{
 254   png_struct create_struct;
 255#  ifdef PNG_SETJMP_SUPPORTED
 256      jmp_buf create_jmp_buf;
 257#  endif
 258
 259   /* This temporary stack-allocated structure is used to provide a place to
 260    * build enough context to allow the user provided memory allocator (if any)
 261    * to be called.
 262    */
 263   memset(&create_struct, 0, (sizeof create_struct));
 264
 265   /* Added at libpng-1.2.6 */
 266#  ifdef PNG_USER_LIMITS_SUPPORTED
 267      create_struct.user_width_max = PNG_USER_WIDTH_MAX;
 268      create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
 269
 270#     ifdef PNG_USER_CHUNK_CACHE_MAX
 271      /* Added at libpng-1.2.43 and 1.4.0 */
 272      create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
 273#     endif
 274
 275#     ifdef PNG_USER_CHUNK_MALLOC_MAX
 276      /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
 277       * in png_struct regardless.
 278       */
 279      create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
 280#     endif
 281#  endif
 282
 283   /* The following two API calls simply set fields in png_struct, so it is safe
 284    * to do them now even though error handling is not yet set up.
 285    */
 286#  ifdef PNG_USER_MEM_SUPPORTED
 287      png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
 288#  else
 289      PNG_UNUSED(mem_ptr)
 290      PNG_UNUSED(malloc_fn)
 291      PNG_UNUSED(free_fn)
 292#  endif
 293
 294   /* (*error_fn) can return control to the caller after the error_ptr is set,
 295    * this will result in a memory leak unless the error_fn does something
 296    * extremely sophisticated.  The design lacks merit but is implicit in the
 297    * API.
 298    */
 299   png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
 300
 301#  ifdef PNG_SETJMP_SUPPORTED
 302      if (!setjmp(create_jmp_buf))
 303#  endif
 304      {
 305#  ifdef PNG_SETJMP_SUPPORTED
 306         /* Temporarily fake out the longjmp information until we have
 307          * successfully completed this function.  This only works if we have
 308          * setjmp() support compiled in, but it is safe - this stuff should
 309          * never happen.
 310          */
 311         create_struct.jmp_buf_ptr = &create_jmp_buf;
 312         create_struct.jmp_buf_size = 0; /*stack allocation*/
 313         create_struct.longjmp_fn = longjmp;
 314#  endif
 315         /* Call the general version checker (shared with read and write code):
 316          */
 317         if (png_user_version_check(&create_struct, user_png_ver) != 0)
 318         {
 319            png_structrp png_ptr = png_voidcast(png_structrp,
 320                png_malloc_warn(&create_struct, (sizeof *png_ptr)));
 321
 322            if (png_ptr != NULL)
 323            {
 324               /* png_ptr->zstream holds a back-pointer to the png_struct, so
 325                * this can only be done now:
 326                */
 327               create_struct.zstream.zalloc = png_zalloc;
 328               create_struct.zstream.zfree = png_zfree;
 329               create_struct.zstream.opaque = png_ptr;
 330
 331#              ifdef PNG_SETJMP_SUPPORTED
 332               /* Eliminate the local error handling: */
 333               create_struct.jmp_buf_ptr = NULL;
 334               create_struct.jmp_buf_size = 0;
 335               create_struct.longjmp_fn = 0;
 336#              endif
 337
 338               *png_ptr = create_struct;
 339
 340               /* This is the successful return point */
 341               return png_ptr;
 342            }
 343         }
 344      }
 345
 346   /* A longjmp because of a bug in the application storage allocator or a
 347    * simple failure to allocate the png_struct.
 348    */
 349   return NULL;
 350}
 351
 352/* Allocate the memory for an info_struct for the application. */
 353PNG_FUNCTION(png_infop,PNGAPI
 354png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
 355{
 356   png_inforp info_ptr;
 357
 358   png_debug(1, "in png_create_info_struct");
 359
 360   if (png_ptr == NULL)
 361      return NULL;
 362
 363   /* Use the internal API that does not (or at least should not) error out, so
 364    * that this call always returns ok.  The application typically sets up the
 365    * error handling *after* creating the info_struct because this is the way it
 366    * has always been done in 'example.c'.
 367    */
 368   info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
 369       (sizeof *info_ptr)));
 370
 371   if (info_ptr != NULL)
 372      memset(info_ptr, 0, (sizeof *info_ptr));
 373
 374   return info_ptr;
 375}
 376
 377/* This function frees the memory associated with a single info struct.
 378 * Normally, one would use either png_destroy_read_struct() or
 379 * png_destroy_write_struct() to free an info struct, but this may be
 380 * useful for some applications.  From libpng 1.6.0 this function is also used
 381 * internally to implement the png_info release part of the 'struct' destroy
 382 * APIs.  This ensures that all possible approaches free the same data (all of
 383 * it).
 384 */
 385void PNGAPI
 386png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
 387{
 388   png_inforp info_ptr = NULL;
 389
 390   png_debug(1, "in png_destroy_info_struct");
 391
 392   if (png_ptr == NULL)
 393      return;
 394
 395   if (info_ptr_ptr != NULL)
 396      info_ptr = *info_ptr_ptr;
 397
 398   if (info_ptr != NULL)
 399   {
 400      /* Do this first in case of an error below; if the app implements its own
 401       * memory management this can lead to png_free calling png_error, which
 402       * will abort this routine and return control to the app error handler.
 403       * An infinite loop may result if it then tries to free the same info
 404       * ptr.
 405       */
 406      *info_ptr_ptr = NULL;
 407
 408      png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
 409      memset(info_ptr, 0, (sizeof *info_ptr));
 410      png_free(png_ptr, info_ptr);
 411   }
 412}
 413
 414/* Initialize the info structure.  This is now an internal function (0.89)
 415 * and applications using it are urged to use png_create_info_struct()
 416 * instead.  Use deprecated in 1.6.0, internal use removed (used internally it
 417 * is just a memset).
 418 *
 419 * NOTE: it is almost inconceivable that this API is used because it bypasses
 420 * the user-memory mechanism and the user error handling/warning mechanisms in
 421 * those cases where it does anything other than a memset.
 422 */
 423PNG_FUNCTION(void,PNGAPI
 424png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size),
 425    PNG_DEPRECATED)
 426{
 427   png_inforp info_ptr = *ptr_ptr;
 428
 429   png_debug(1, "in png_info_init_3");
 430
 431   if (info_ptr == NULL)
 432      return;
 433
 434   if ((sizeof (png_info)) > png_info_struct_size)
 435   {
 436      *ptr_ptr = NULL;
 437      /* The following line is why this API should not be used: */
 438      free(info_ptr);
 439      info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
 440          (sizeof *info_ptr)));
 441      if (info_ptr == NULL)
 442         return;
 443      *ptr_ptr = info_ptr;
 444   }
 445
 446   /* Set everything to 0 */
 447   memset(info_ptr, 0, (sizeof *info_ptr));
 448}
 449
 450/* The following API is not called internally */
 451void PNGAPI
 452png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
 453    int freer, png_uint_32 mask)
 454{
 455   png_debug(1, "in png_data_freer");
 456
 457   if (png_ptr == NULL || info_ptr == NULL)
 458      return;
 459
 460   if (freer == PNG_DESTROY_WILL_FREE_DATA)
 461      info_ptr->free_me |= mask;
 462
 463   else if (freer == PNG_USER_WILL_FREE_DATA)
 464      info_ptr->free_me &= ~mask;
 465
 466   else
 467      png_error(png_ptr, "Unknown freer parameter in png_data_freer");
 468}
 469
 470void PNGAPI
 471png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
 472    int num)
 473{
 474   png_debug(1, "in png_free_data");
 475
 476   if (png_ptr == NULL || info_ptr == NULL)
 477      return;
 478
 479#ifdef PNG_TEXT_SUPPORTED
 480   /* Free text item num or (if num == -1) all text items */
 481   if (info_ptr->text != NULL &&
 482       ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
 483   {
 484      if (num != -1)
 485      {
 486         png_free(png_ptr, info_ptr->text[num].key);
 487         info_ptr->text[num].key = NULL;
 488      }
 489
 490      else
 491      {
 492         int i;
 493
 494         for (i = 0; i < info_ptr->num_text; i++)
 495            png_free(png_ptr, info_ptr->text[i].key);
 496
 497         png_free(png_ptr, info_ptr->text);
 498         info_ptr->text = NULL;
 499         info_ptr->num_text = 0;
 500         info_ptr->max_text = 0;
 501      }
 502   }
 503#endif
 504
 505#ifdef PNG_tRNS_SUPPORTED
 506   /* Free any tRNS entry */
 507   if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
 508   {
 509      info_ptr->valid &= ~PNG_INFO_tRNS;
 510      png_free(png_ptr, info_ptr->trans_alpha);
 511      info_ptr->trans_alpha = NULL;
 512      info_ptr->num_trans = 0;
 513   }
 514#endif
 515
 516#ifdef PNG_sCAL_SUPPORTED
 517   /* Free any sCAL entry */
 518   if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
 519   {
 520      png_free(png_ptr, info_ptr->scal_s_width);
 521      png_free(png_ptr, info_ptr->scal_s_height);
 522      info_ptr->scal_s_width = NULL;
 523      info_ptr->scal_s_height = NULL;
 524      info_ptr->valid &= ~PNG_INFO_sCAL;
 525   }
 526#endif
 527
 528#ifdef PNG_pCAL_SUPPORTED
 529   /* Free any pCAL entry */
 530   if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
 531   {
 532      png_free(png_ptr, info_ptr->pcal_purpose);
 533      png_free(png_ptr, info_ptr->pcal_units);
 534      info_ptr->pcal_purpose = NULL;
 535      info_ptr->pcal_units = NULL;
 536
 537      if (info_ptr->pcal_params != NULL)
 538         {
 539            int i;
 540
 541            for (i = 0; i < info_ptr->pcal_nparams; i++)
 542               png_free(png_ptr, info_ptr->pcal_params[i]);
 543
 544            png_free(png_ptr, info_ptr->pcal_params);
 545            info_ptr->pcal_params = NULL;
 546         }
 547      info_ptr->valid &= ~PNG_INFO_pCAL;
 548   }
 549#endif
 550
 551#ifdef PNG_iCCP_SUPPORTED
 552   /* Free any profile entry */
 553   if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
 554   {
 555      png_free(png_ptr, info_ptr->iccp_name);
 556      png_free(png_ptr, info_ptr->iccp_profile);
 557      info_ptr->iccp_name = NULL;
 558      info_ptr->iccp_profile = NULL;
 559      info_ptr->valid &= ~PNG_INFO_iCCP;
 560   }
 561#endif
 562
 563#ifdef PNG_sPLT_SUPPORTED
 564   /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
 565   if (info_ptr->splt_palettes != NULL &&
 566       ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
 567   {
 568      if (num != -1)
 569      {
 570         png_free(png_ptr, info_ptr->splt_palettes[num].name);
 571         png_free(png_ptr, info_ptr->splt_palettes[num].entries);
 572         info_ptr->splt_palettes[num].name = NULL;
 573         info_ptr->splt_palettes[num].entries = NULL;
 574      }
 575
 576      else
 577      {
 578         int i;
 579
 580         for (i = 0; i < info_ptr->splt_palettes_num; i++)
 581         {
 582            png_free(png_ptr, info_ptr->splt_palettes[i].name);
 583            png_free(png_ptr, info_ptr->splt_palettes[i].entries);
 584         }
 585
 586         png_free(png_ptr, info_ptr->splt_palettes);
 587         info_ptr->splt_palettes = NULL;
 588         info_ptr->splt_palettes_num = 0;
 589         info_ptr->valid &= ~PNG_INFO_sPLT;
 590      }
 591   }
 592#endif
 593
 594#ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
 595   if (info_ptr->unknown_chunks != NULL &&
 596       ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
 597   {
 598      if (num != -1)
 599      {
 600          png_free(png_ptr, info_ptr->unknown_chunks[num].data);
 601          info_ptr->unknown_chunks[num].data = NULL;
 602      }
 603
 604      else
 605      {
 606         int i;
 607
 608         for (i = 0; i < info_ptr->unknown_chunks_num; i++)
 609            png_free(png_ptr, info_ptr->unknown_chunks[i].data);
 610
 611         png_free(png_ptr, info_ptr->unknown_chunks);
 612         info_ptr->unknown_chunks = NULL;
 613         info_ptr->unknown_chunks_num = 0;
 614      }
 615   }
 616#endif
 617
 618#ifdef PNG_eXIf_SUPPORTED
 619   /* Free any eXIf entry */
 620   if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
 621   {
 622# ifdef PNG_READ_eXIf_SUPPORTED
 623      if (info_ptr->eXIf_buf)
 624      {
 625         png_free(png_ptr, info_ptr->eXIf_buf);
 626         info_ptr->eXIf_buf = NULL;
 627      }
 628# endif
 629      if (info_ptr->exif)
 630      {
 631         png_free(png_ptr, info_ptr->exif);
 632         info_ptr->exif = NULL;
 633      }
 634      info_ptr->valid &= ~PNG_INFO_eXIf;
 635   }
 636#endif
 637
 638#ifdef PNG_hIST_SUPPORTED
 639   /* Free any hIST entry */
 640   if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
 641   {
 642      png_free(png_ptr, info_ptr->hist);
 643      info_ptr->hist = NULL;
 644      info_ptr->valid &= ~PNG_INFO_hIST;
 645   }
 646#endif
 647
 648   /* Free any PLTE entry that was internally allocated */
 649   if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
 650   {
 651      png_free(png_ptr, info_ptr->palette);
 652      info_ptr->palette = NULL;
 653      info_ptr->valid &= ~PNG_INFO_PLTE;
 654      info_ptr->num_palette = 0;
 655   }
 656
 657#ifdef PNG_INFO_IMAGE_SUPPORTED
 658   /* Free any image bits attached to the info structure */
 659   if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
 660   {
 661      if (info_ptr->row_pointers != NULL)
 662      {
 663         png_uint_32 row;
 664         for (row = 0; row < info_ptr->height; row++)
 665            png_free(png_ptr, info_ptr->row_pointers[row]);
 666
 667         png_free(png_ptr, info_ptr->row_pointers);
 668         info_ptr->row_pointers = NULL;
 669      }
 670      info_ptr->valid &= ~PNG_INFO_IDAT;
 671   }
 672#endif
 673
 674   if (num != -1)
 675      mask &= ~PNG_FREE_MUL;
 676
 677   info_ptr->free_me &= ~mask;
 678}
 679#endif /* READ || WRITE */
 680
 681/* This function returns a pointer to the io_ptr associated with the user
 682 * functions.  The application should free any memory associated with this
 683 * pointer before png_write_destroy() or png_read_destroy() are called.
 684 */
 685png_voidp PNGAPI
 686png_get_io_ptr(png_const_structrp png_ptr)
 687{
 688   if (png_ptr == NULL)
 689      return (NULL);
 690
 691   return (png_ptr->io_ptr);
 692}
 693
 694#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 695#  ifdef PNG_STDIO_SUPPORTED
 696/* Initialize the default input/output functions for the PNG file.  If you
 697 * use your own read or write routines, you can call either png_set_read_fn()
 698 * or png_set_write_fn() instead of png_init_io().  If you have defined
 699 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
 700 * function of your own because "FILE *" isn't necessarily available.
 701 */
 702void PNGAPI
 703png_init_io(png_structrp png_ptr, png_FILE_p fp)
 704{
 705   png_debug(1, "in png_init_io");
 706
 707   if (png_ptr == NULL)
 708      return;
 709
 710   png_ptr->io_ptr = (png_voidp)fp;
 711}
 712#  endif
 713
 714#  ifdef PNG_SAVE_INT_32_SUPPORTED
 715/* PNG signed integers are saved in 32-bit 2's complement format.  ANSI C-90
 716 * defines a cast of a signed integer to an unsigned integer either to preserve
 717 * the value, if it is positive, or to calculate:
 718 *
 719 *     (UNSIGNED_MAX+1) + integer
 720 *
 721 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
 722 * negative integral value is added the result will be an unsigned value
 723 * correspnding to the 2's complement representation.
 724 */
 725void PNGAPI
 726png_save_int_32(png_bytep buf, png_int_32 i)
 727{
 728   png_save_uint_32(buf, (png_uint_32)i);
 729}
 730#  endif
 731
 732#  ifdef PNG_TIME_RFC1123_SUPPORTED
 733/* Convert the supplied time into an RFC 1123 string suitable for use in
 734 * a "Creation Time" or other text-based time string.
 735 */
 736int PNGAPI
 737png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
 738{
 739   static PNG_CONST char short_months[12][4] =
 740        {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
 741         "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
 742
 743   if (out == NULL)
 744      return 0;
 745
 746   if (ptime->year > 9999 /* RFC1123 limitation */ ||
 747       ptime->month == 0    ||  ptime->month > 12  ||
 748       ptime->day   == 0    ||  ptime->day   > 31  ||
 749       ptime->hour  > 23    ||  ptime->minute > 59 ||
 750       ptime->second > 60)
 751      return 0;
 752
 753   {
 754      size_t pos = 0;
 755      char number_buf[5]; /* enough for a four-digit year */
 756
 757#     define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
 758#     define APPEND_NUMBER(format, value)\
 759         APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
 760#     define APPEND(ch) if (pos < 28) out[pos++] = (ch)
 761
 762      APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
 763      APPEND(' ');
 764      APPEND_STRING(short_months[(ptime->month - 1)]);
 765      APPEND(' ');
 766      APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
 767      APPEND(' ');
 768      APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
 769      APPEND(':');
 770      APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
 771      APPEND(':');
 772      APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
 773      APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
 774      PNG_UNUSED (pos)
 775
 776#     undef APPEND
 777#     undef APPEND_NUMBER
 778#     undef APPEND_STRING
 779   }
 780
 781   return 1;
 782}
 783
 784#    if PNG_LIBPNG_VER < 10700
 785/* To do: remove the following from libpng-1.7 */
 786/* Original API that uses a private buffer in png_struct.
 787 * Deprecated because it causes png_struct to carry a spurious temporary
 788 * buffer (png_struct::time_buffer), better to have the caller pass this in.
 789 */
 790png_const_charp PNGAPI
 791png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
 792{
 793   if (png_ptr != NULL)
 794   {
 795      /* The only failure above if png_ptr != NULL is from an invalid ptime */
 796      if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
 797         png_warning(png_ptr, "Ignoring invalid time value");
 798
 799      else
 800         return png_ptr->time_buffer;
 801   }
 802
 803   return NULL;
 804}
 805#    endif /* LIBPNG_VER < 10700 */
 806#  endif /* TIME_RFC1123 */
 807
 808#endif /* READ || WRITE */
 809
 810png_const_charp PNGAPI
 811png_get_copyright(png_const_structrp png_ptr)
 812{
 813   PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 814#ifdef PNG_STRING_COPYRIGHT
 815   return PNG_STRING_COPYRIGHT
 816#else
 817#  ifdef __STDC__
 818   return PNG_STRING_NEWLINE \
 819      "libpng version 1.6.34 - September 29, 2017" PNG_STRING_NEWLINE \
 820      "Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson" \
 821      PNG_STRING_NEWLINE \
 822      "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
 823      "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
 824      PNG_STRING_NEWLINE;
 825#  else
 826   return "libpng version 1.6.34 - September 29, 2017\
 827      Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson\
 828      Copyright (c) 1996-1997 Andreas Dilger\
 829      Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
 830#  endif
 831#endif
 832}
 833
 834/* The following return the library version as a short string in the
 835 * format 1.0.0 through 99.99.99zz.  To get the version of *.h files
 836 * used with your application, print out PNG_LIBPNG_VER_STRING, which
 837 * is defined in png.h.
 838 * Note: now there is no difference between png_get_libpng_ver() and
 839 * png_get_header_ver().  Due to the version_nn_nn_nn typedef guard,
 840 * it is guaranteed that png.c uses the correct version of png.h.
 841 */
 842png_const_charp PNGAPI
 843png_get_libpng_ver(png_const_structrp png_ptr)
 844{
 845   /* Version of *.c files used when building libpng */
 846   return png_get_header_ver(png_ptr);
 847}
 848
 849png_const_charp PNGAPI
 850png_get_header_ver(png_const_structrp png_ptr)
 851{
 852   /* Version of *.h files used when building libpng */
 853   PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 854   return PNG_LIBPNG_VER_STRING;
 855}
 856
 857png_const_charp PNGAPI
 858png_get_header_version(png_const_structrp png_ptr)
 859{
 860   /* Returns longer string containing both version and date */
 861   PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
 862#ifdef __STDC__
 863   return PNG_HEADER_VERSION_STRING
 864#  ifndef PNG_READ_SUPPORTED
 865      " (NO READ SUPPORT)"
 866#  endif
 867      PNG_STRING_NEWLINE;
 868#else
 869   return PNG_HEADER_VERSION_STRING;
 870#endif
 871}
 872
 873#ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
 874/* NOTE: this routine is not used internally! */
 875/* Build a grayscale palette.  Palette is assumed to be 1 << bit_depth
 876 * large of png_color.  This lets grayscale images be treated as
 877 * paletted.  Most useful for gamma correction and simplification
 878 * of code.  This API is not used internally.
 879 */
 880void PNGAPI
 881png_build_grayscale_palette(int bit_depth, png_colorp palette)
 882{
 883   int num_palette;
 884   int color_inc;
 885   int i;
 886   int v;
 887
 888   png_debug(1, "in png_do_build_grayscale_palette");
 889
 890   if (palette == NULL)
 891      return;
 892
 893   switch (bit_depth)
 894   {
 895      case 1:
 896         num_palette = 2;
 897         color_inc = 0xff;
 898         break;
 899
 900      case 2:
 901         num_palette = 4;
 902         color_inc = 0x55;
 903         break;
 904
 905      case 4:
 906         num_palette = 16;
 907         color_inc = 0x11;
 908         break;
 909
 910      case 8:
 911         num_palette = 256;
 912         color_inc = 1;
 913         break;
 914
 915      default:
 916         num_palette = 0;
 917         color_inc = 0;
 918         break;
 919   }
 920
 921   for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
 922   {
 923      palette[i].red = (png_byte)(v & 0xff);
 924      palette[i].green = (png_byte)(v & 0xff);
 925      palette[i].blue = (png_byte)(v & 0xff);
 926   }
 927}
 928#endif
 929
 930#ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
 931int PNGAPI
 932png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
 933{
 934   /* Check chunk_name and return "keep" value if it's on the list, else 0 */
 935   png_const_bytep p, p_end;
 936
 937   if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
 938      return PNG_HANDLE_CHUNK_AS_DEFAULT;
 939
 940   p_end = png_ptr->chunk_list;
 941   p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
 942
 943   /* The code is the fifth byte after each four byte string.  Historically this
 944    * code was always searched from the end of the list, this is no longer
 945    * necessary because the 'set' routine handles duplicate entries correcty.
 946    */
 947   do /* num_chunk_list > 0, so at least one */
 948   {
 949      p -= 5;
 950
 951      if (memcmp(chunk_name, p, 4) == 0)
 952         return p[4];
 953   }
 954   while (p > p_end);
 955
 956   /* This means that known chunks should be processed and unknown chunks should
 957    * be handled according to the value of png_ptr->unknown_default; this can be
 958    * confusing because, as a result, there are two levels of defaulting for
 959    * unknown chunks.
 960    */
 961   return PNG_HANDLE_CHUNK_AS_DEFAULT;
 962}
 963
 964#if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
 965   defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
 966int /* PRIVATE */
 967png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
 968{
 969   png_byte chunk_string[5];
 970
 971   PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
 972   return png_handle_as_unknown(png_ptr, chunk_string);
 973}
 974#endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
 975#endif /* SET_UNKNOWN_CHUNKS */
 976
 977#ifdef PNG_READ_SUPPORTED
 978/* This function, added to libpng-1.0.6g, is untested. */
 979int PNGAPI
 980png_reset_zstream(png_structrp png_ptr)
 981{
 982   if (png_ptr == NULL)
 983      return Z_STREAM_ERROR;
 984
 985   /* WARNING: this resets the window bits to the maximum! */
 986   return (inflateReset(&png_ptr->zstream));
 987}
 988#endif /* READ */
 989
 990/* This function was added to libpng-1.0.7 */
 991png_uint_32 PNGAPI
 992png_access_version_number(void)
 993{
 994   /* Version of *.c files used when building libpng */
 995   return((png_uint_32)PNG_LIBPNG_VER);
 996}
 997
 998#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 999/* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
1000 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
1001 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
1002 */
1003void /* PRIVATE */
1004png_zstream_error(png_structrp png_ptr, int ret)
1005{
1006   /* Translate 'ret' into an appropriate error string, priority is given to the
1007    * one in zstream if set.  This always returns a string, even in cases like
1008    * Z_OK or Z_STREAM_END where the error code is a success code.
1009    */
1010   if (png_ptr->zstream.msg == NULL) switch (ret)
1011   {
1012      default:
1013      case Z_OK:
1014         png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
1015         break;
1016
1017      case Z_STREAM_END:
1018         /* Normal exit */
1019         png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
1020         break;
1021
1022      case Z_NEED_DICT:
1023         /* This means the deflate stream did not have a dictionary; this
1024          * indicates a bogus PNG.
1025          */
1026         png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1027         break;
1028
1029      case Z_ERRNO:
1030         /* gz APIs only: should not happen */
1031         png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1032         break;
1033
1034      case Z_STREAM_ERROR:
1035         /* internal libpng error */
1036         png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1037         break;
1038
1039      case Z_DATA_ERROR:
1040         png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1041         break;
1042
1043      case Z_MEM_ERROR:
1044         png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1045         break;
1046
1047      case Z_BUF_ERROR:
1048         /* End of input or output; not a problem if the caller is doing
1049          * incremental read or write.
1050          */
1051         png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1052         break;
1053
1054      case Z_VERSION_ERROR:
1055         png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1056         break;
1057
1058      case PNG_UNEXPECTED_ZLIB_RETURN:
1059         /* Compile errors here mean that zlib now uses the value co-opted in
1060          * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1061          * and change pngpriv.h.  Note that this message is "... return",
1062          * whereas the default/Z_OK one is "... return code".
1063          */
1064         png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1065         break;
1066   }
1067}
1068
1069/* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1070 * at libpng 1.5.5!
1071 */
1072
1073/* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1074#ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1075static int
1076png_colorspace_check_gamma(png_const_structrp png_ptr,
1077    png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1078   /* This is called to check a new gamma value against an existing one.  The
1079    * routine returns false if the new gamma value should not be written.
1080    *
1081    * 'from' says where the new gamma value comes from:
1082    *
1083    *    0: the new gamma value is the libpng estimate for an ICC profile
1084    *    1: the new gamma value comes from a gAMA chunk
1085    *    2: the new gamma value comes from an sRGB chunk
1086    */
1087{
1088   png_fixed_point gtest;
1089
1090   if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1091       (png_muldiv(&gtest, colorspace->gamma, PNG_FP_1, gAMA) == 0  ||
1092      png_gamma_significant(gtest) != 0))
1093   {
1094      /* Either this is an sRGB image, in which case the calculated gamma
1095       * approximation should match, or this is an image with a profile and the
1096       * value libpng calculates for the gamma of the profile does not match the
1097       * value recorded in the file.  The former, sRGB, case is an error, the
1098       * latter is just a warning.
1099       */
1100      if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1101      {
1102         png_chunk_report(png_ptr, "gamma value does not match sRGB",
1103             PNG_CHUNK_ERROR);
1104         /* Do not overwrite an sRGB value */
1105         return from == 2;
1106      }
1107
1108      else /* sRGB tag not involved */
1109      {
1110         png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1111             PNG_CHUNK_WARNING);
1112         return from == 1;
1113      }
1114   }
1115
1116   return 1;
1117}
1118
1119void /* PRIVATE */
1120png_colorspace_set_gamma(png_const_structrp png_ptr,
1121    png_colorspacerp colorspace, png_fixed_point gAMA)
1122{
1123   /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1124    * occur.  Since the fixed point representation is asymetrical it is
1125    * possible for 1/gamma to overflow the limit of 21474 and this means the
1126    * gamma value must be at least 5/100000 and hence at most 20000.0.  For
1127    * safety the limits here are a little narrower.  The values are 0.00016 to
1128    * 6250.0, which are truly ridiculous gamma values (and will produce
1129    * displays that are all black or all white.)
1130    *
1131    * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1132    * handling code, which only required the value to be >0.
1133    */
1134   png_const_charp errmsg;
1135
1136   if (gAMA < 16 || gAMA > 625000000)
1137      errmsg = "gamma value out of range";
1138
1139#  ifdef PNG_READ_gAMA_SUPPORTED
1140   /* Allow the application to set the gamma value more than once */
1141   else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1142      (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1143      errmsg = "duplicate";
1144#  endif
1145
1146   /* Do nothing if the colorspace is already invalid */
1147   else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1148      return;
1149
1150   else
1151   {
1152      if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1153          1/*from gAMA*/) != 0)
1154      {
1155         /* Store this gamma value. */
1156         colorspace->gamma = gAMA;
1157         colorspace->flags |=
1158            (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1159      }
1160
1161      /* At present if the check_gamma test fails the gamma of the colorspace is
1162       * not updated however the colorspace is not invalidated.  This
1163       * corresponds to the case where the existing gamma comes from an sRGB
1164       * chunk or profile.  An error message has already been output.
1165       */
1166      return;
1167   }
1168
1169   /* Error exit - errmsg has been set. */
1170   colorspace->flags |= PNG_COLORSPACE_INVALID;
1171   png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1172}
1173
1174void /* PRIVATE */
1175png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1176{
1177   if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1178   {
1179      /* Everything is invalid */
1180      info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1181         PNG_INFO_iCCP);
1182
1183#     ifdef PNG_COLORSPACE_SUPPORTED
1184      /* Clean up the iCCP profile now if it won't be used. */
1185      png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1186#     else
1187      PNG_UNUSED(png_ptr)
1188#     endif
1189   }
1190
1191   else
1192   {
1193#     ifdef PNG_COLORSPACE_SUPPORTED
1194      /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1195       * it; this allows a PNG to contain a profile which matches sRGB and
1196       * yet still have that profile retrievable by the application.
1197       */
1198      if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1199         info_ptr->valid |= PNG_INFO_sRGB;
1200
1201      else
1202         info_ptr->valid &= ~PNG_INFO_sRGB;
1203
1204      if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1205         info_ptr->valid |= PNG_INFO_cHRM;
1206
1207      else
1208         info_ptr->valid &= ~PNG_INFO_cHRM;
1209#     endif
1210
1211      if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1212         info_ptr->valid |= PNG_INFO_gAMA;
1213
1214      else
1215         info_ptr->valid &= ~PNG_INFO_gAMA;
1216   }
1217}
1218
1219#ifdef PNG_READ_SUPPORTED
1220void /* PRIVATE */
1221png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1222{
1223   if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1224      return;
1225
1226   info_ptr->colorspace = png_ptr->colorspace;
1227   png_colorspace_sync_info(png_ptr, info_ptr);
1228}
1229#endif
1230#endif /* GAMMA */
1231
1232#ifdef PNG_COLORSPACE_SUPPORTED
1233/* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1234 * cHRM, as opposed to using chromaticities.  These internal APIs return
1235 * non-zero on a parameter error.  The X, Y and Z values are required to be
1236 * positive and less than 1.0.
1237 */
1238static int
1239png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1240{
1241   png_int_32 d, dwhite, whiteX, whiteY;
1242
1243   d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1244   if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1245      return 1;
1246   if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1247      return 1;
1248   dwhite = d;
1249   whiteX = XYZ->red_X;
1250   whiteY = XYZ->red_Y;
1251
1252   d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1253   if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1254      return 1;
1255   if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1256      return 1;
1257   dwhite += d;
1258   whiteX += XYZ->green_X;
1259   whiteY += XYZ->green_Y;
1260
1261   d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1262   if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1263      return 1;
1264   if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1265      return 1;
1266   dwhite += d;
1267   whiteX += XYZ->blue_X;
1268   whiteY += XYZ->blue_Y;
1269
1270   /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1271    * thus:
1272    */
1273   if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1274      return 1;
1275   if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1276      return 1;
1277
1278   return 0;
1279}
1280
1281static int
1282png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1283{
1284   png_fixed_point red_inverse, green_inverse, blue_scale;
1285   png_fixed_point left, right, denominator;
1286
1287   /* Check xy and, implicitly, z.  Note that wide gamut color spaces typically
1288    * have end points with 0 tristimulus values (these are impossible end
1289    * points, but they are used to cover the possible colors).  We check
1290    * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1291    */
1292   if (xy->redx   < 0 || xy->redx > PNG_FP_1) return 1;
1293   if (xy->redy   < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1294   if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1295   if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1296   if (xy->bluex  < 0 || xy->bluex > PNG_FP_1) return 1;
1297   if (xy->bluey  < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1298   if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1299   if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1300
1301   /* The reverse calculation is more difficult because the original tristimulus
1302    * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1303    * derived values were recorded in the cHRM chunk;
1304    * (red,green,blue,white)x(x,y).  This loses one degree of freedom and
1305    * therefore an arbitrary ninth value has to be introduced to undo the
1306    * original transformations.
1307    *
1308    * Think of the original end-points as points in (X,Y,Z) space.  The
1309    * chromaticity values (c) have the property:
1310    *
1311    *           C
1312    *   c = ---------
1313    *       X + Y + Z
1314    *
1315    * For each c (x,y,z) from the corresponding original C (X,Y,Z).  Thus the
1316    * three chromaticity values (x,y,z) for each end-point obey the
1317    * relationship:
1318    *
1319    *   x + y + z = 1
1320    *
1321    * This describes the plane in (X,Y,Z) space that intersects each axis at the
1322    * value 1.0; call this the chromaticity plane.  Thus the chromaticity
1323    * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1324    * and chromaticity is the intersection of the vector from the origin to the
1325    * (X,Y,Z) value with the chromaticity plane.
1326    *
1327    * To fully invert the chromaticity calculation we would need the three
1328    * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1329    * were not recorded.  Instead we calculated the reference white (X,Y,Z) and
1330    * recorded the chromaticity of this.  The reference white (X,Y,Z) would have
1331    * given all three of the scale factors since:
1332    *
1333    *    color-C = color-c * color-scale
1334    *    white-C = red-C + green-C + blue-C
1335    *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1336    *
1337    * But cHRM records only white-x and white-y, so we have lost the white scale
1338    * factor:
1339    *
1340    *    white-C = white-c*white-scale
1341    *
1342    * To handle this the inverse transformation makes an arbitrary assumption
1343    * about white-scale:
1344    *
1345    *    Assume: white-Y = 1.0
1346    *    Hence:  white-scale = 1/white-y
1347    *    Or:     red-Y + green-Y + blue-Y = 1.0
1348    *
1349    * Notice the last statement of the assumption gives an equation in three of
1350    * the nine values we want to calculate.  8 more equations come from the
1351    * above routine as summarised at the top above (the chromaticity
1352    * calculation):
1353    *
1354    *    Given: color-x = color-X / (color-X + color-Y + color-Z)
1355    *    Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1356    *
1357    * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1358    * solved by Cramer's rule.  Cramer's rule requires calculating 10 9x9 matrix
1359    * determinants, however this is not as bad as it seems because only 28 of
1360    * the total of 90 terms in the various matrices are non-zero.  Nevertheless
1361    * Cramer's rule is notoriously numerically unstable because the determinant
1362    * calculation involves the difference of large, but similar, numbers.  It is
1363    * difficult to be sure that the calculation is stable for real world values
1364    * and it is certain that it becomes unstable where the end points are close
1365    * together.
1366    *
1367    * So this code uses the perhaps slightly less optimal but more
1368    * understandable and totally obvious approach of calculating color-scale.
1369    *
1370    * This algorithm depends on the precision in white-scale and that is
1371    * (1/white-y), so we can immediately see that as white-y approaches 0 the
1372    * accuracy inherent in the cHRM chunk drops off substantially.
1373    *
1374    * libpng arithmetic: a simple inversion of the above equations
1375    * ------------------------------------------------------------
1376    *
1377    *    white_scale = 1/white-y
1378    *    white-X = white-x * white-scale
1379    *    white-Y = 1.0
1380    *    white-Z = (1 - white-x - white-y) * white_scale
1381    *
1382    *    white-C = red-C + green-C + blue-C
1383    *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1384    *
1385    * This gives us three equations in (red-scale,green-scale,blue-scale) where
1386    * all the coefficients are now known:
1387    *
1388    *    red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1389    *       = white-x/white-y
1390    *    red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1391    *    red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1392    *       = (1 - white-x - white-y)/white-y
1393    *
1394    * In the last equation color-z is (1 - color-x - color-y) so we can add all
1395    * three equations together to get an alternative third:
1396    *
1397    *    red-scale + green-scale + blue-scale = 1/white-y = white-scale
1398    *
1399    * So now we have a Cramer's rule solution where the determinants are just
1400    * 3x3 - far more tractible.  Unfortunately 3x3 determinants still involve
1401    * multiplication of three coefficients so we can't guarantee to avoid
1402    * overflow in the libpng fixed point representation.  Using Cramer's rule in
1403    * floating point is probably a good choice here, but it's not an option for
1404    * fixed point.  Instead proceed to simplify the first two equations by
1405    * eliminating what is likely to be the largest value, blue-scale:
1406    *
1407    *    blue-scale = white-scale - red-scale - green-scale
1408    *
1409    * Hence:
1410    *
1411    *    (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1412    *                (white-x - blue-x)*white-scale
1413    *
1414    *    (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1415    *                1 - blue-y*white-scale
1416    *
1417    * And now we can trivially solve for (red-scale,green-scale):
1418    *
1419    *    green-scale =
1420    *                (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1421    *                -----------------------------------------------------------
1422    *                                  green-x - blue-x
1423    *
1424    *    red-scale =
1425    *                1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1426    *                ---------------------------------------------------------
1427    *                                  red-y - blue-y
1428    *
1429    * Hence:
1430    *
1431    *    red-scale =
1432    *          ( (green-x - blue-x) * (white-y - blue-y) -
1433    *            (green-y - blue-y) * (white-x - blue-x) ) / white-y
1434    * -------------------------------------------------------------------------
1435    *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1436    *
1437    *    green-scale =
1438    *          ( (red-y - blue-y) * (white-x - blue-x) -
1439    *            (red-x - blue-x) * (white-y - blue-y) ) / white-y
1440    * -------------------------------------------------------------------------
1441    *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1442    *
1443    * Accuracy:
1444    * The input values have 5 decimal digits of accuracy.  The values are all in
1445    * the range 0 < value < 1, so simple products are in the same range but may
1446    * need up to 10 decimal digits to preserve the original precision and avoid
1447    * underflow.  Because we are using a 32-bit signed representation we cannot
1448    * match this; the best is a little over 9 decimal digits, less than 10.
1449    *
1450    * The approach used here is to preserve the maximum precision within the
1451    * signed representation.  Because the red-scale calculation above uses the
1452    * difference between two products of values that must be in the range -1..+1
1453    * it is sufficient to divide the product by 7; ceil(100,000/32767*2).  The
1454    * factor is irrelevant in the calculation because it is applied to both
1455    * numerator and denominator.
1456    *
1457    * Note that the values of the differences of the products of the
1458    * chromaticities in the above equations tend to be small, for example for
1459    * the sRGB chromaticities they are:
1460    *
1461    * red numerator:    -0.04751
1462    * green numerator:  -0.08788
1463    * denominator:      -0.2241 (without white-y multiplication)
1464    *
1465    *  The resultant Y coefficients from the chromaticities of some widely used
1466    *  color space definitions are (to 15 decimal places):
1467    *
1468    *  sRGB
1469    *    0.212639005871510 0.715168678767756 0.072192315360734
1470    *  Kodak ProPhoto
1471    *    0.288071128229293 0.711843217810102 0.000085653960605
1472    *  Adobe RGB
1473    *    0.297344975250536 0.627363566255466 0.075291458493998
1474    *  Adobe Wide Gamut RGB
1475    *    0.258728243040113 0.724682314948566 0.016589442011321
1476    */
1477   /* By the argument, above overflow should be impossible here. The return
1478    * value of 2 indicates an internal error to the caller.
1479    */
1480   if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1481      return 2;
1482   if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1483      return 2;
1484   denominator = left - right;
1485
1486   /* Now find the red numerator. */
1487   if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1488      return 2;
1489   if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1490      return 2;
1491
1492   /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1493    * chunk values.  This calculation actually returns the reciprocal of the
1494    * scale value because this allows us to delay the multiplication of white-y
1495    * into the denominator, which tends to produce a small number.
1496    */
1497   if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1498       red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1499      return 1;
1500
1501   /* Similarly for green_inverse: */
1502   if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1503      return 2;
1504   if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1505      return 2;
1506   if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1507       green_inverse <= xy->whitey)
1508      return 1;
1509
1510   /* And the blue scale, the checks above guarantee this can't overflow but it
1511    * can still produce 0 for extreme cHRM values.
1512    */
1513   blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1514       png_reciprocal(green_inverse);
1515   if (blue_scale <= 0)
1516      return 1;
1517
1518
1519   /* And fill in the png_XYZ: */
1520   if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1521      return 1;
1522   if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1523      return 1;
1524   if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1525       red_inverse) == 0)
1526      return 1;
1527
1528   if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1529      return 1;
1530   if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1531      return 1;
1532   if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1533       green_inverse) == 0)
1534      return 1;
1535
1536   if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1537      return 1;
1538   if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1539      return 1;
1540   if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1541       PNG_FP_1) == 0)
1542      return 1;
1543
1544   return 0; /*success*/
1545}
1546
1547static int
1548png_XYZ_normalize(png_XYZ *XYZ)
1549{
1550   png_int_32 Y;
1551
1552   if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1553      XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1554      XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1555      return 1;
1556
1557   /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1558    * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1559    * relying on addition of two positive values producing a negative one is not
1560    * safe.
1561    */
1562   Y = XYZ->red_Y;
1563   if (0x7fffffff - Y < XYZ->green_X)
1564      return 1;
1565   Y += XYZ->green_Y;
1566   if (0x7fffffff - Y < XYZ->blue_X)
1567      return 1;
1568   Y += XYZ->blue_Y;
1569
1570   if (Y != PNG_FP_1)
1571   {
1572      if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1573         return 1;
1574      if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1575         return 1;
1576      if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1577         return 1;
1578
1579      if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1580         return 1;
1581      if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1582         return 1;
1583      if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1584         return 1;
1585
1586      if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1587         return 1;
1588      if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1589         return 1;
1590      if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1591         return 1;
1592   }
1593
1594   return 0;
1595}
1596
1597static int
1598png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1599{
1600   /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1601   if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1602       PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1603       PNG_OUT_OF_RANGE(xy1->redx,   xy2->redx,  delta) ||
1604       PNG_OUT_OF_RANGE(xy1->redy,   xy2->redy,  delta) ||
1605       PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1606       PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1607       PNG_OUT_OF_RANGE(xy1->bluex,  xy2->bluex, delta) ||
1608       PNG_OUT_OF_RANGE(xy1->bluey,  xy2->bluey, delta))
1609      return 0;
1610   return 1;
1611}
1612
1613/* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1614 * chunk chromaticities.  Earlier checks used to simply look for the overflow
1615 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1616 * because the chromaticity values are not all distinct.)  Despite this it is
1617 * theoretically possible to produce chromaticities that are apparently valid
1618 * but that rapidly degrade to invalid, potentially crashing, sets because of
1619 * arithmetic inaccuracies when calculations are performed on them.  The new
1620 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1621 * within a small percentage of the original.
1622 */
1623static int
1624png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1625{
1626   int result;
1627   png_xy xy_test;
1628
1629   /* As a side-effect this routine also returns the XYZ endpoints. */
1630   result = png_XYZ_from_xy(XYZ, xy);
1631   if (result != 0)
1632      return result;
1633
1634   result = png_xy_from_XYZ(&xy_test, XYZ);
1635   if (result != 0)
1636      return result;
1637
1638   if (png_colorspace_endpoints_match(xy, &xy_test,
1639       5/*actually, the math is pretty accurate*/) != 0)
1640      return 0;
1641
1642   /* Too much slip */
1643   return 1;
1644}
1645
1646/* This is the check going the other way.  The XYZ is modified to normalize it
1647 * (another side-effect) and the xy chromaticities are returned.
1648 */
1649static int
1650png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1651{
1652   int result;
1653   png_XYZ XYZtemp;
1654
1655   result = png_XYZ_normalize(XYZ);
1656   if (result != 0)
1657      return result;
1658
1659   result = png_xy_from_XYZ(xy, XYZ);
1660   if (result != 0)
1661      return result;
1662
1663   XYZtemp = *XYZ;
1664   return png_colorspace_check_xy(&XYZtemp, xy);
1665}
1666
1667/* Used to check for an endpoint match against sRGB */
1668static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1669{
1670   /* color      x       y */
1671   /* red   */ 64000, 33000,
1672   /* green */ 30000, 60000,
1673   /* blue  */ 15000,  6000,
1674   /* white */ 31270, 32900
1675};
1676
1677static int
1678png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1679    png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1680    int preferred)
1681{
1682   if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1683      return 0;
1684
1685   /* The consistency check is performed on the chromaticities; this factors out
1686    * variations because of the normalization (or not) of the end point Y
1687    * values.
1688    */
1689   if (preferred < 2 &&
1690       (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1691   {
1692      /* The end points must be reasonably close to any we already have.  The
1693       * following allows an error of up to +/-.001
1694       */
1695      if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1696          100) == 0)
1697      {
1698         colorspace->flags |= PNG_COLORSPACE_INVALID;
1699         png_benign_error(png_ptr, "inconsistent chromaticities");
1700         return 0; /* failed */
1701      }
1702
1703      /* Only overwrite with preferred values */
1704      if (preferred == 0)
1705         return 1; /* ok, but no change */
1706   }
1707
1708   colorspace->end_points_xy = *xy;
1709   colorspace->end_points_XYZ = *XYZ;
1710   colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1711
1712   /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1713    * on this test.
1714    */
1715   if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1716      colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1717
1718   else
1719      colorspace->flags &= PNG_COLORSPACE_CANCEL(
1720         PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1721
1722   return 2; /* ok and changed */
1723}
1724
1725int /* PRIVATE */
1726png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1727    png_colorspacerp colorspace, const png_xy *xy, int preferred)
1728{
1729   /* We must check the end points to ensure they are reasonable - in the past
1730    * color management systems have crashed as a result of getting bogus
1731    * colorant values, while this isn't the fault of libpng it is the
1732    * responsibility of libpng because PNG carries the bomb and libpng is in a
1733    * position to protect against it.
1734    */
1735   png_XYZ XYZ;
1736
1737   switch (png_colorspace_check_xy(&XYZ, xy))
1738   {
1739      case 0: /* success */
1740         return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1741             preferred);
1742
1743      case 1:
1744         /* We can't invert the chromaticities so we can't produce value XYZ
1745          * values.  Likely as not a color management system will fail too.
1746          */
1747         colorspace->flags |= PNG_COLORSPACE_INVALID;
1748         png_benign_error(png_ptr, "invalid chromaticities");
1749         break;
1750
1751      default:
1752         /* libpng is broken; this should be a warning but if it happens we
1753          * want error reports so for the moment it is an error.
1754          */
1755         colorspace->flags |= PNG_COLORSPACE_INVALID;
1756         png_error(png_ptr, "internal error checking chromaticities");
1757   }
1758
1759   return 0; /* failed */
1760}
1761
1762int /* PRIVATE */
1763png_colorspace_set_endpoints(png_const_structrp png_ptr,
1764    png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1765{
1766   png_XYZ XYZ = *XYZ_in;
1767   png_xy xy;
1768
1769   switch (png_colorspace_check_XYZ(&xy, &XYZ))
1770   {
1771      case 0:
1772         return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1773             preferred);
1774
1775      case 1:
1776         /* End points are invalid. */
1777         colorspace->flags |= PNG_COLORSPACE_INVALID;
1778         png_benign_error(png_ptr, "invalid end points");
1779         break;
1780
1781      default:
1782         colorspace->flags |= PNG_COLORSPACE_INVALID;
1783         png_error(png_ptr, "internal error checking chromaticities");
1784   }
1785
1786   return 0; /* failed */
1787}
1788
1789#if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1790/* Error message generation */
1791static char
1792png_icc_tag_char(png_uint_32 byte)
1793{
1794   byte &= 0xff;
1795   if (byte >= 32 && byte <= 126)
1796      return (char)byte;
1797   else
1798      return '?';
1799}
1800
1801static void
1802png_icc_tag_name(char *name, png_uint_32 tag)
1803{
1804   name[0] = '\'';
1805   name[1] = png_icc_tag_char(tag >> 24);
1806   name[2] = png_icc_tag_char(tag >> 16);
1807   name[3] = png_icc_tag_char(tag >>  8);
1808   name[4] = png_icc_tag_char(tag      );
1809   name[5] = '\'';
1810}
1811
1812static int
1813is_ICC_signature_char(png_alloc_size_t it)
1814{
1815   return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1816      (it >= 97 && it <= 122);
1817}
1818
1819static int
1820is_ICC_signature(png_alloc_size_t it)
1821{
1822   return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1823      is_ICC_signature_char((it >> 16) & 0xff) &&
1824      is_ICC_signature_char((it >> 8) & 0xff) &&
1825      is_ICC_signature_char(it & 0xff);
1826}
1827
1828static int
1829png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1830    png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1831{
1832   size_t pos;
1833   char message[196]; /* see below for calculation */
1834
1835   if (colorspace != NULL)
1836      colorspace->flags |= PNG_COLORSPACE_INVALID;
1837
1838   pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1839   pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1840   pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1841   if (is_ICC_signature(value) != 0)
1842   {
1843      /* So 'value' is at most 4 bytes and the following cast is safe */
1844      png_icc_tag_name(message+pos, (png_uint_32)value);
1845      pos += 6; /* total +8; less than the else clause */
1846      message[pos++] = ':';
1847      message[pos++] = ' ';
1848   }
1849#  ifdef PNG_WARNINGS_SUPPORTED
1850   else
1851      {
1852         char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1853
1854         pos = png_safecat(message, (sizeof message), pos,
1855             png_format_number(number, number+(sizeof number),
1856             PNG_NUMBER_FORMAT_x, value));
1857         pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1858      }
1859#  endif
1860   /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1861   pos = png_safecat(message, (sizeof message), pos, reason);
1862   PNG_UNUSED(pos)
1863
1864   /* This is recoverable, but make it unconditionally an app_error on write to
1865    * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1866    * on read, with a warning, but on write unless the app turns off
1867    * application errors the PNG won't be written.)
1868    */
1869   png_chunk_report(png_ptr, message,
1870       (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1871
1872   return 0;
1873}
1874#endif /* sRGB || iCCP */
1875
1876#ifdef PNG_sRGB_SUPPORTED
1877int /* PRIVATE */
1878png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1879    int intent)
1880{
1881   /* sRGB sets known gamma, end points and (from the chunk) intent. */
1882   /* IMPORTANT: these are not necessarily the values found in an ICC profile
1883    * because ICC profiles store values adapted to a D50 environment; it is
1884    * expected that the ICC profile mediaWhitePointTag will be D50; see the
1885    * checks and code elsewhere to understand this better.
1886    *
1887    * These XYZ values, which are accurate to 5dp, produce rgb to gray
1888    * coefficients of (6968,23435,2366), which are reduced (because they add up
1889    * to 32769 not 32768) to (6968,23434,2366).  These are the values that
1890    * libpng has traditionally used (and are the best values given the 15bit
1891    * algorithm used by the rgb to gray code.)
1892    */
1893   static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1894   {
1895      /* color      X      Y      Z */
1896      /* red   */ 41239, 21264,  1933,
1897      /* green */ 35758, 71517, 11919,
1898      /* blue  */ 18048,  7219, 95053
1899   };
1900
1901   /* Do nothing if the colorspace is already invalidated. */
1902   if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1903      return 0;
1904
1905   /* Check the intent, then check for existing settings.  It is valid for the
1906    * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1907    * be consistent with the correct values.  If, however, this function is
1908    * called below because an iCCP chunk matches sRGB then it is quite
1909    * conceivable that an older app recorded incorrect gAMA and cHRM because of
1910    * an incorrect calculation based on the values in the profile - this does
1911    * *not* invalidate the profile (though it still produces an error, which can
1912    * be ignored.)
1913    */
1914   if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1915      return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1916          (png_alloc_size_t)intent, "invalid sRGB rendering intent");
1917
1918   if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1919       colorspace->rendering_intent != intent)
1920      return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1921         (png_alloc_size_t)intent, "inconsistent rendering intents");
1922
1923   if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1924   {
1925      png_benign_error(png_ptr, "duplicate sRGB information ignored");
1926      return 0;
1927   }
1928
1929   /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1930    * warn but overwrite the value with the correct one.
1931    */
1932   if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1933       !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1934       100))
1935      png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1936         PNG_CHUNK_ERROR);
1937
1938   /* This check is just done for the error reporting - the routine always
1939    * returns true when the 'from' argument corresponds to sRGB (2).
1940    */
1941   (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1942       2/*from sRGB*/);
1943
1944   /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1945   colorspace->rendering_intent = (png_uint_16)intent;
1946   colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1947
1948   /* endpoints */
1949   colorspace->end_points_xy = sRGB_xy;
1950   colorspace->end_points_XYZ = sRGB_XYZ;
1951   colorspace->flags |=
1952      (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1953
1954   /* gamma */
1955   colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1956   colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1957
1958   /* Finally record that we have an sRGB profile */
1959   colorspace->flags |=
1960      (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1961
1962   return 1; /* set */
1963}
1964#endif /* sRGB */
1965
1966#ifdef PNG_iCCP_SUPPORTED
1967/* Encoded value of D50 as an ICC XYZNumber.  From the ICC 2010 spec the value
1968 * is XYZ(0.9642,1.0,0.8249), which scales to:
1969 *
1970 *    (63189.8112, 65536, 54060.6464)
1971 */
1972static const png_byte D50_nCIEXYZ[12] =
1973   { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1974
1975static int /* bool */
1976icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1977    png_const_charp name, png_uint_32 profile_length)
1978{
1979   if (profile_length < 132)
1980      return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1981          "too short");
1982   return 1;
1983}
1984
1985#ifdef PNG_READ_iCCP_SUPPORTED
1986int /* PRIVATE */
1987png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1988    png_const_charp name, png_uint_32 profile_length)
1989{
1990   if (!icc_check_length(png_ptr, colorspace, name, profile_length))
1991      return 0;
1992
1993   /* This needs to be here because the 'normal' check is in
1994    * png_decompress_chunk, yet this happens after the attempt to
1995    * png_malloc_base the required data.  We only need this on read; on write
1996    * the caller supplies the profile buffer so libpng doesn't allocate it.  See
1997    * the call to icc_check_length below (the write case).
1998    */
1999#  ifdef PNG_SET_USER_LIMITS_SUPPORTED
2000      else if (png_ptr->user_chunk_malloc_max > 0 &&
2001               png_ptr->user_chunk_malloc_max < profile_length)
2002         return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2003             "exceeds application limits");
2004#  elif PNG_USER_CHUNK_MALLOC_MAX > 0
2005      else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
2006         return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2007             "exceeds libpng limits");
2008#  else /* !SET_USER_LIMITS */
2009      /* This will get compiled out on all 32-bit and better systems. */
2010      else if (PNG_SIZE_MAX < profile_length)
2011         return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2012             "exceeds system limits");
2013#  endif /* !SET_USER_LIMITS */
2014
2015   return 1;
2016}
2017#endif /* READ_iCCP */
2018
2019int /* PRIVATE */
2020png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2021    png_const_charp name, png_uint_32 profile_length,
2022    png_const_bytep profile/* first 132 bytes only */, int color_type)
2023{
2024   png_uint_32 temp;
2025
2026   /* Length check; this cannot be ignored in this code because profile_length
2027    * is used later to check the tag table, so even if the profile seems over
2028    * long profile_length from the caller must be correct.  The caller can fix
2029    * this up on read or write by just passing in the profile header length.
2030    */
2031   temp = png_get_uint_32(profile);
2032   if (temp != profile_length)
2033      return png_icc_profile_error(png_ptr, colorspace, name, temp,
2034          "length does not match profile");
2035
2036   temp = (png_uint_32) (*(profile+8));
2037   if (temp > 3 && (profile_length & 3))
2038      return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2039          "invalid length");
2040
2041   temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2042   if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2043      profile_length < 132+12*temp) /* truncated tag table */
2044      return png_icc_profile_error(png_ptr, colorspace, name, temp,
2045          "tag count too large");
2046
2047   /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2048    * 16 bits.
2049    */
2050   temp = png_get_uint_32(profile+64);
2051   if (temp >= 0xffff) /* The ICC limit */
2052      return png_icc_profile_error(png_ptr, colorspace, name, temp,
2053          "invalid rendering intent");
2054
2055   /* This is just a warning because the profile may be valid in future
2056    * versions.
2057    */
2058   if (temp >= PNG_sRGB_INTENT_LAST)
2059      (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2060          "intent outside defined range");
2061
2062   /* At this point the tag table can't be checked because it hasn't necessarily
2063    * been loaded; however, various header fields can be checked.  These checks
2064    * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2065    * restricts the profiles that can be passed in an iCCP chunk (they must be
2066    * appropriate to processing PNG data!)
2067    */
2068
2069   /* Data checks (could be skipped).  These checks must be independent of the
2070    * version number; however, the version number doesn't accomodate changes in
2071    * the header fields (just the known tags and the interpretation of the
2072    * data.)
2073    */
2074   temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2075   if (temp != 0x61637370)
2076      return png_icc_profile_error(png_ptr, colorspace, name, temp,
2077          "invalid signature");
2078
2079   /* Currently the PCS illuminant/adopted white point (the computational
2080    * white point) are required to be D50,
2081    * however the profile contains a record of the illuminant so perhaps ICC
2082    * expects to be able to change this in the future (despite the rationale in
2083    * the introduction for using a fixed PCS adopted white.)  Consequently the
2084    * following is just a warning.
2085    */
2086   if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2087      (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2088          "PCS illuminant is not D50");
2089
2090   /* The PNG spec requires this:
2091    * "If the iCCP chunk is present, the image samples conform to the colour
2092    * space represented by the embedded ICC profile as defined by the
2093    * International Color Consortium [ICC]. The colour space of the ICC profile
2094    * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2095    * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2096    * and 4)."
2097    *
2098    * This checking code ensures the embedded profile (on either read or write)
2099    * conforms to the specification requirements.  Notice that an ICC 'gray'
2100    * color-space profile contains the information to transform the monochrome
2101    * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2102    * should be used in preference to the standard libpng K channel replication
2103    * into R, G and B channels.
2104    *
2105    * Previously it was suggested that an RGB profile on grayscale data could be
2106    * handled.  However it it is clear that using an RGB profile in this context
2107    * must be an error - there is no specification of what it means.  Thus it is
2108    * almost certainly more correct to ignore the profile.
2109    */
2110   temp = png_get_uint_32(profile+16); /* data colour space field */
2111   switch (temp)
2112   {
2113      case 0x52474220: /* 'RGB ' */
2114         if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2115            return png_icc_profile_error(png_ptr, colorspace, name, temp,
2116                "RGB color space not permitted on grayscale PNG");
2117         break;
2118
2119      case 0x47524159: /* 'GRAY' */
2120         if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2121            return png_icc_profile_error(png_ptr, colorspace, name, temp,
2122                "Gray color space not permitted on RGB PNG");
2123         break;
2124
2125      default:
2126         return png_icc_profile_error(png_ptr, colorspace, name, temp,
2127             "invalid ICC profile color space");
2128   }
2129
2130   /* It is up to the application to check that the profile class matches the
2131    * application requirements; the spec provides no guidance, but it's pretty
2132    * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2133    * ('prtr') or 'spac' (for generic color spaces).  Issue a warning in these
2134    * cases.  Issue an error for device link or abstract profiles - these don't
2135    * contain the records necessary to transform the color-space to anything
2136    * other than the target device (and not even that for an abstract profile).
2137    * Profiles of these classes may not be embedded in images.
2138    */
2139   temp = png_get_uint_32(profile+12); /* profile/device class */
2140   switch (temp)
2141   {
2142      case 0x73636e72: /* 'scnr' */
2143      case 0x6d6e7472: /* 'mntr' */
2144      case 0x70727472: /* 'prtr' */
2145      case 0x73706163: /* 'spac' */
2146         /* All supported */
2147         break;
2148
2149      case 0x61627374: /* 'abst' */
2150         /* May not be embedded in an image */
2151         return png_icc_profile_error(png_ptr, colorspace, name, temp,
2152             "invalid embedded Abstract ICC profile");
2153
2154      case 0x6c696e6b: /* 'link' */
2155         /* DeviceLink profiles cannot be interpreted in a non-device specific
2156          * fashion, if an app uses the AToB0Tag in the profile the results are
2157          * undefined unless the result is sent to the intended device,
2158          * therefore a DeviceLink profile should not be found embedded in a
2159          * PNG.
2160          */
2161         return png_icc_profile_error(png_ptr, colorspace, name, temp,
2162             "unexpected DeviceLink ICC profile class");
2163
2164      case 0x6e6d636c: /* 'nmcl' */
2165         /* A NamedColor profile is also device specific, however it doesn't
2166          * contain an AToB0 tag that is open to misinterpretation.  Almost
2167          * certainly it will fail the tests below.
2168          */
2169         (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2170             "unexpected NamedColor ICC profile class");
2171         break;
2172
2173      default:
2174         /* To allow for future enhancements to the profile accept unrecognized
2175          * profile classes with a warning, these then hit the test below on the
2176          * tag content to ensure they are backward compatible with one of the
2177          * understood profiles.
2178          */
2179         (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2180             "unrecognized ICC profile class");
2181         break;
2182   }
2183
2184   /* For any profile other than a device link one the PCS must be encoded
2185    * either in XYZ or Lab.
2186    */
2187   temp = png_get_uint_32(profile+20);
2188   switch (temp)
2189   {
2190      case 0x58595a20: /* 'XYZ ' */
2191      case 0x4c616220: /* 'Lab ' */
2192         break;
2193
2194      default:
2195         return png_icc_profile_error(png_ptr, colorspace, name, temp,
2196             "unexpected ICC PCS encoding");
2197   }
2198
2199   return 1;
2200}
2201
2202int /* PRIVATE */
2203png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2204    png_const_charp name, png_uint_32 profile_length,
2205    png_const_bytep profile /* header plus whole tag table */)
2206{
2207   png_uint_32 tag_count = png_get_uint_32(profile+128);
2208   png_uint_32 itag;
2209   png_const_bytep tag = profile+132; /* The first tag */
2210
2211   /* First scan all the tags in the table and add bits to the icc_info value
2212    * (temporarily in 'tags').
2213    */
2214   for (itag=0; itag < tag_count; ++itag, tag += 12)
2215   {
2216      png_uint_32 tag_id = png_get_uint_32(tag+0);
2217      png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2218      png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2219
2220      /* The ICC specification does not exclude zero length tags, therefore the
2221       * start might actually be anywhere if there is no data, but this would be
2222       * a clear abuse of the intent of the standard so the start is checked for
2223       * being in range.  All defined tag types have an 8 byte header - a 4 byte
2224       * type signature then 0.
2225       */
2226
2227      /* This is a hard error; potentially it can cause read outside the
2228       * profile.
2229       */
2230      if (tag_start > profile_length || tag_length > profile_length - tag_start)
2231         return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2232             "ICC profile tag outside profile");
2233
2234      if ((tag_start & 3) != 0)
2235      {
2236         /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
2237          * only a warning here because libpng does not care about the
2238          * alignment.
2239          */
2240         (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2241             "ICC profile tag start not a multiple of 4");
2242      }
2243   }
2244
2245   return 1; /* success, maybe with warnings */
2246}
2247
2248#ifdef PNG_sRGB_SUPPORTED
2249#if PNG_sRGB_PROFILE_CHECKS >= 0
2250/* Information about the known ICC sRGB profiles */
2251static const struct
2252{
2253   png_uint_32 adler, crc, length;
2254   png_uint_32 md5[4];
2255   png_byte    have_md5;
2256   png_byte    is_broken;
2257   png_uint_16 intent;
2258
2259#  define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2260#  define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2261      { adler, crc, length, md5, broke, intent },
2262
2263} png_sRGB_checks[] =
2264{
2265   /* This data comes from contrib/tools/checksum-icc run on downloads of
2266    * all four ICC sRGB profiles from www.color.org.
2267    */
2268   /* adler32, crc32, MD5[4], intent, date, length, file-name */
2269   PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2270       PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2271       "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2272
2273   /* ICC sRGB v2 perceptual no black-compensation: */
2274   PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2275       PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2276       "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2277
2278   PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2279       PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2280       "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2281
2282   /* ICC sRGB v4 perceptual */
2283   PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2284       PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2285       "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2286
2287   /* The following profiles have no known MD5 checksum. If there is a match
2288    * on the (empty) MD5 the other fields are used to attempt a match and
2289    * a warning is produced.  The first two of these profiles have a 'cprt' tag
2290    * which suggests that they were also made by Hewlett Packard.
2291    */
2292   PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2293       PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2294       "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2295
2296   /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2297    * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2298    * so the white point is recorded as the un-adapted value.)  The profiles
2299    * below only differ in one byte - the intent - and are basically the same as
2300    * the previous profile except for the mediaWhitePointTag error and a missing
2301    * chromaticAdaptationTag.
2302    */
2303   PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2304       PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2305       "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2306
2307   PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2308       PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2309       "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2310};
2311
2312static int
2313png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2314    png_const_bytep profile, uLong adler)
2315{
2316   /* The quick check is to verify just the MD5 signature and trust the
2317    * rest of the data.  Because the profile has already been verified for
2318    * correctness this is safe.  png_colorspace_set_sRGB will check the 'intent'
2319    * field too, so if the profile has been edited with an intent not defined
2320    * by sRGB (but maybe defined by a later ICC specification) the read of
2321    * the profile will fail at that point.
2322    */
2323
2324   png_uint_32 length = 0;
2325   png_uint_32 intent = 0x10000; /* invalid */
2326#if PNG_sRGB_PROFILE_CHECKS > 1
2327   uLong crc = 0; /* the value for 0 length data */
2328#endif
2329   unsigned int i;
2330
2331#ifdef PNG_SET_OPTION_SUPPORTED
2332   /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2333   if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2334               PNG_OPTION_ON)
2335      return 0;
2336#endif
2337
2338   for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2339   {
2340      if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2341         png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2342         png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2343         png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2344      {
2345         /* This may be one of the old HP profiles without an MD5, in that
2346          * case we can only use the length and Adler32 (note that these
2347          * are not used by default if there is an MD5!)
2348          */
2349#        if PNG_sRGB_PROFILE_CHECKS == 0
2350            if (png_sRGB_checks[i].have_md5 != 0)
2351               return 1+png_sRGB_checks[i].is_broken;
2352#        endif
2353
2354         /* Profile is unsigned or more checks have been configured in. */
2355         if (length == 0)
2356         {
2357            length = png_get_uint_32(profile);
2358            intent = png_get_uint_32(profile+64);
2359         }
2360
2361         /* Length *and* intent must match */
2362         if (length == (png_uint_32) png_sRGB_checks[i].length &&
2363            intent == (png_uint_32) png_sRGB_checks[i].intent)
2364         {
2365            /* Now calculate the adler32 if not done already. */
2366            if (adler == 0)
2367            {
2368               adler = adler32(0, NULL, 0);
2369               adler = adler32(adler, profile, length);
2370            }
2371
2372            if (adler == png_sRGB_checks[i].adler)
2373            {
2374               /* These basic checks suggest that the data has not been
2375                * modified, but if the check level is more than 1 perform
2376                * our own crc32 checksum on the data.
2377                */
2378#              if PNG_sRGB_PROFILE_CHECKS > 1
2379                  if (crc == 0)
2380                  {
2381                     crc = crc32(0, NULL, 0);
2382                     crc = crc32(crc, profile, length);
2383                  }
2384
2385                  /* So this check must pass for the 'return' below to happen.
2386                   */
2387                  if (crc == png_sRGB_checks[i].crc)
2388#              endif
2389               {
2390                  if (png_sRGB_checks[i].is_broken != 0)
2391                  {
2392                     /* These profiles are known to have bad data that may cause
2393                      * problems if they are used, therefore attempt to
2394                      * discourage their use, skip the 'have_md5' warning below,
2395                      * which is made irrelevant by this error.
2396                      */
2397                     png_chunk_report(png_ptr, "known incorrect sRGB profile",
2398                         PNG_CHUNK_ERROR);
2399                  }
2400
2401                  /* Warn that this being done; this isn't even an error since
2402                   * the profile is perfectly valid, but it would be nice if
2403                   * people used the up-to-date ones.
2404                   */
2405                  else if (png_sRGB_checks[i].have_md5 == 0)
2406                  {
2407                     png_chunk_report(png_ptr,
2408                         "out-of-date sRGB profile with no signature",
2409                         PNG_CHUNK_WARNING);
2410                  }
2411
2412                  return 1+png_sRGB_checks[i].is_broken;
2413               }
2414            }
2415
2416# if PNG_sRGB_PROFILE_CHECKS > 0
2417         /* The signature matched, but the profile had been changed in some
2418          * way.  This probably indicates a data error or uninformed hacking.
2419          * Fall through to "no match".
2420          */
2421         png_chunk_report(png_ptr,
2422             "Not recognizing known sRGB profile that has been edited",
2423             PNG_CHUNK_WARNING);
2424         break;
2425# endif
2426         }
2427      }
2428   }
2429
2430   return 0; /* no match */
2431}
2432
2433void /* PRIVATE */
2434png_icc_set_sRGB(png_const_structrp png_ptr,
2435    png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2436{
2437   /* Is this profile one of the known ICC sRGB profiles?  If it is, just set
2438    * the sRGB information.
2439    */
2440   if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2441      (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2442         (int)/*already checked*/png_get_uint_32(profile+64));
2443}
2444#endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2445#endif /* sRGB */
2446
2447int /* PRIVATE */
2448png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2449    png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2450    int color_type)
2451{
2452   if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2453      return 0;
2454
2455   if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2456       png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2457           color_type) != 0 &&
2458       png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2459           profile) != 0)
2460   {
2461#     if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2462         /* If no sRGB support, don't try storing sRGB information */
2463         png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2464#     endif
2465      return 1;
2466   }
2467
2468   /* Failure case */
2469   return 0;
2470}
2471#endif /* iCCP */
2472
2473#ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2474void /* PRIVATE */
2475png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2476{
2477   /* Set the rgb_to_gray coefficients from the colorspace. */
2478   if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2479      (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2480   {
2481      /* png_set_background has not been called, get the coefficients from the Y
2482       * values of the colorspace colorants.
2483       */
2484      png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2485      png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2486      png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2487      png_fixed_point total = r+g+b;
2488
2489      if (total > 0 &&
2490         r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2491         g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2492         b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2493         r+g+b <= 32769)
2494      {
2495         /* We allow 0 coefficients here.  r+g+b may be 32769 if two or
2496          * all of the coefficients were rounded up.  Handle this by
2497          * reducing the *largest* coefficient by 1; this matches the
2498          * approach used for the default coefficients in pngrtran.c
2499          */
2500         int add = 0;
2501
2502         if (r+g+b > 32768)
2503            add = -1;
2504         else if (r+g+b < 32768)
2505            add = 1;
2506
2507         if (add != 0)
2508         {
2509            if (g >= r && g >= b)
2510               g += add;
2511            else if (r >= g && r >= b)
2512               r += add;
2513            else
2514               b += add;
2515         }
2516
2517         /* Check for an internal error. */
2518         if (r+g+b != 32768)
2519            png_error(png_ptr,
2520                "internal error handling cHRM coefficients");
2521
2522         else
2523         {
2524            png_ptr->rgb_to_gray_red_coeff   = (png_uint_16)r;
2525            png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2526         }
2527      }
2528
2529      /* This is a png_error at present even though it could be ignored -
2530       * it should never happen, but it is important that if it does, the
2531       * bug is fixed.
2532       */
2533      else
2534         png_error(png_ptr, "internal error handling cHRM->XYZ");
2535   }
2536}
2537#endif /* READ_RGB_TO_GRAY */
2538
2539#endif /* COLORSPACE */
2540
2541#ifdef __GNUC__
2542/* This exists solely to work round a warning from GNU C. */
2543static int /* PRIVATE */
2544png_gt(size_t a, size_t b)
2545{
2546   return a > b;
2547}
2548#else
2549#   define png_gt(a,b) ((a) > (b))
2550#endif
2551
2552void /* PRIVATE */
2553png_check_IHDR(png_const_structrp png_ptr,
2554    png_uint_32 width, png_uint_32 height, int bit_depth,
2555    int color_type, int interlace_type, int compression_type,
2556    int filter_type)
2557{
2558   int error = 0;
2559
2560   /* Check for width and height valid values */
2561   if (width == 0)
2562   {
2563      png_warning(png_ptr, "Image width is zero in IHDR");
2564      error = 1;
2565   }
2566
2567   if (width > PNG_UINT_31_MAX)
2568   {
2569      png_warning(png_ptr, "Invalid image width in IHDR");
2570      error = 1;
2571   }
2572
2573   if (png_gt(((width + 7) & (~7U)),
2574       ((PNG_SIZE_MAX
2575           - 48        /* big_row_buf hack */
2576           - 1)        /* filter byte */
2577           / 8)        /* 8-byte RGBA pixels */
2578           - 1))       /* extra max_pixel_depth pad */
2579   {
2580      /* The size of the row must be within the limits of this architecture.
2581       * Because the read code can perform arbitrary transformations the
2582       * maximum size is checked here.  Because the code in png_read_start_row
2583       * adds extra space "for safety's sake" in several places a conservative
2584       * limit is used here.
2585       *
2586       * NOTE: it would be far better to check the size that is actually used,
2587       * but the effect in the real world is minor and the changes are more
2588       * extensive, therefore much more dangerous and much more difficult to
2589       * write in a way that avoids compiler warnings.
2590       */
2591      png_warning(png_ptr, "Image width is too large for this architecture");
2592      error = 1;
2593   }
2594
2595#ifdef PNG_SET_USER_LIMITS_SUPPORTED
2596   if (width > png_ptr->user_width_max)
2597#else
2598   if (width > PNG_USER_WIDTH_MAX)
2599#endif
2600   {
2601      png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2602      error = 1;
2603   }
2604
2605   if (height == 0)
2606   {
2607      png_warning(png_ptr, "Image height is zero in IHDR");
2608      error = 1;
2609   }
2610
2611   if (height > PNG_UINT_31_MAX)
2612   {
2613      png_warning(png_ptr, "Invalid image height in IHDR");
2614      error = 1;
2615   }
2616
2617#ifdef PNG_SET_USER_LIMITS_SUPPORTED
2618   if (height > png_ptr->user_height_max)
2619#else
2620   if (height > PNG_USER_HEIGHT_MAX)
2621#endif
2622   {
2623      png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2624      error = 1;
2625   }
2626
2627   /* Check other values */
2628   if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2629       bit_depth != 8 && bit_depth != 16)
2630   {
2631      png_warning(png_ptr, "Invalid bit depth in IHDR");
2632      error = 1;
2633   }
2634
2635   if (color_type < 0 || color_type == 1 ||
2636       color_type == 5 || color_type > 6)
2637   {
2638      png_warning(png_ptr, "Invalid color type in IHDR");
2639      error = 1;
2640   }
2641
2642   if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2643       ((color_type == PNG_COLOR_TYPE_RGB ||
2644         color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2645         color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2646   {
2647      png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2648      error = 1;
2649   }
2650
2651   if (interlace_type >= PNG_INTERLACE_LAST)
2652   {
2653      png_warning(png_ptr, "Unknown interlace method in IHDR");
2654      error = 1;
2655   }
2656
2657   if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2658   {
2659      png_warning(png_ptr, "Unknown compression method in IHDR");
2660      error = 1;
2661   }
2662
2663#ifdef PNG_MNG_FEATURES_SUPPORTED
2664   /* Accept filter_method 64 (intrapixel differencing) only if
2665    * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2666    * 2. Libpng did not read a PNG signature (this filter_method is only
2667    *    used in PNG datastreams that are embedded in MNG datastreams) and
2668    * 3. The application called png_permit_mng_features with a mask that
2669    *    included PNG_FLAG_MNG_FILTER_64 and
2670    * 4. The filter_method is 64 and
2671    * 5. The color_type is RGB or RGBA
2672    */
2673   if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2674       png_ptr->mng_features_permitted != 0)
2675      png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2676
2677   if (filter_type != PNG_FILTER_TYPE_BASE)
2678   {
2679      if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2680          (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2681          ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2682          (color_type == PNG_COLOR_TYPE_RGB ||
2683          color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2684      {
2685         png_warning(png_ptr, "Unknown filter method in IHDR");
2686         error = 1;
2687      }
2688
2689      if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2690      {
2691         png_warning(png_ptr, "Invalid filter method in IHDR");
2692         error = 1;
2693      }
2694   }
2695
2696#else
2697   if (filter_type != PNG_FILTER_TYPE_BASE)
2698   {
2699      png_warning(png_ptr, "Unknown filter method in IHDR");
2700      error = 1;
2701   }
2702#endif
2703
2704   if (error == 1)
2705      png_error(png_ptr, "Invalid IHDR data");
2706}
2707
2708#if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2709/* ASCII to fp functions */
2710/* Check an ASCII formated floating point value, see the more detailed
2711 * comments in pngpriv.h
2712 */
2713/* The following is used internally to preserve the sticky flags */
2714#define png_fp_add(state, flags) ((state) |= (flags))
2715#define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2716
2717int /* PRIVATE */
2718png_check_fp_number(png_const_charp string, png_size_t size, int *statep,
2719    png_size_tp whereami)
2720{
2721   int state = *statep;
2722   png_size_t i = *whereami;
2723
2724   while (i < size)
2725   {
2726      int type;
2727      /* First find the type of the next character */
2728      switch (string[i])
2729      {
2730      case 43:  type = PNG_FP_SAW_SIGN;                   break;
2731      case 45:  type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2732      case 46:  type = PNG_FP_SAW_DOT;                    break;
2733      case 48:  type = PNG_FP_SAW_DIGIT;                  break;
2734      case 49: case 50: case 51: case 52:
2735      case 53: case 54: case 55: case 56:
2736      case 57:  type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2737      case 69:
2738      case 101: type = PNG_FP_SAW_E;                      break;
2739      default:  goto PNG_FP_End;
2740      }
2741
2742      /* Now deal with this type according to the current
2743       * state, the type is arranged to not overlap the
2744       * bits of the PNG_FP_STATE.
2745       */
2746      switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2747      {
2748      case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2749         if ((state & PNG_FP_SAW_ANY) != 0)
2750            goto PNG_FP_End; /* not a part of the number */
2751
2752         png_fp_add(state, type);
2753         break;
2754
2755      case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2756         /* Ok as trailer, ok as lead of fraction. */
2757         if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2758            goto PNG_FP_End;
2759
2760         else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2761            png_fp_add(state, type);
2762
2763         else
2764            png_fp_set(state, PNG_FP_FRACTION | type);
2765
2766         break;
2767
2768      case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2769         if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2770            png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2771
2772         png_fp_add(state, type | PNG_FP_WAS_VALID);
2773
2774         break;
2775
2776      case PNG_FP_INTEGER + PNG_FP_SAW_E:
2777         if ((state & PNG_FP_SAW_DIGIT) == 0)
2778            goto PNG_FP_End;
2779
2780         png_fp_set(state, PNG_FP_EXPONENT);
2781
2782         break;
2783
2784   /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2785         goto PNG_FP_End; ** no sign in fraction */
2786
2787   /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2788         goto PNG_FP_End; ** Because SAW_DOT is always set */
2789
2790      case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2791         png_fp_add(state, type | PNG_FP_WAS_VALID);
2792         break;
2793
2794      case PNG_FP_FRACTION + PNG_FP_SAW_E:
2795         /* This is correct because the trailing '.' on an
2796          * integer is handled above - so we can only get here
2797          * with the sequence ".E" (with no preceding digits).
2798          */
2799         if ((state & PNG_FP_SAW_DIGIT) == 0)
2800            goto PNG_FP_End;
2801
2802         png_fp_set(state, PNG_FP_EXPONENT);
2803
2804         break;
2805
2806      case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2807         if ((state & PNG_FP_SAW_ANY) != 0)
2808            goto PNG_FP_End; /* not a part of the number */
2809
2810         png_fp_add(state, PNG_FP_SAW_SIGN);
2811
2812         break;
2813
2814   /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2815         goto PNG_FP_End; */
2816
2817      case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2818         png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2819
2820         break;
2821
2822   /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2823         goto PNG_FP_End; */
2824
2825      default: goto PNG_FP_End; /* I.e. break 2 */
2826      }
2827
2828      /* The character seems ok, continue. */
2829      ++i;
2830   }
2831
2832PNG_FP_End:
2833   /* Here at the end, update the state and return the correct
2834    * return code.
2835    */
2836   *statep = state;
2837   *whereami = i;
2838
2839   return (state & PNG_FP_SAW_DIGIT) != 0;
2840}
2841
2842
2843/* The same but for a complete string. */
2844int
2845png_check_fp_string(png_const_charp string, png_size_t size)
2846{
2847   int        state=0;
2848   png_size_t char_index=0;
2849
2850   if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2851      (char_index == size || string[char_index] == 0))
2852      return state /* must be non-zero - see above */;
2853
2854   return 0; /* i.e. fail */
2855}
2856#endif /* pCAL || sCAL */
2857
2858#ifdef PNG_sCAL_SUPPORTED
2859#  ifdef PNG_FLOATING_POINT_SUPPORTED
2860/* Utility used below - a simple accurate power of ten from an integral
2861 * exponent.
2862 */
2863static double
2864png_pow10(int power)
2865{
2866   int recip = 0;
2867   double d = 1;
2868
2869   /* Handle negative exponent with a reciprocal at the end because
2870    * 10 is exact whereas .1 is inexact in base 2
2871    */
2872   if (power < 0)
2873   {
2874      if (power < DBL_MIN_10_EXP) return 0;
2875      recip = 1; power = -power;
2876   }
2877
2878   if (power > 0)
2879   {
2880      /* Decompose power bitwise. */
2881      double mult = 10;
2882      do
2883      {
2884         if (power & 1) d *= mult;
2885         mult *= mult;
2886         power >>= 1;
2887      }
2888      while (power > 0);
2889
2890      if (recip != 0) d = 1/d;
2891   }
2892   /* else power is 0 and d is 1 */
2893
2894   return d;
2895}
2896
2897/* Function to format a floating point value in ASCII with a given
2898 * precision.
2899 */
2900#if GCC_STRICT_OVERFLOW
2901#pragma GCC diagnostic push
2902/* The problem arises below with exp_b10, which can never overflow because it
2903 * comes, originally, from frexp and is therefore limited to a range which is
2904 * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)).
2905 */
2906#pragma GCC diagnostic warning "-Wstrict-overflow=2"
2907#endif /* GCC_STRICT_OVERFLOW */
2908void /* PRIVATE */
2909png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size,
2910    double fp, unsigned int precision)
2911{
2912   /* We use standard functions from math.h, but not printf because
2913    * that would require stdio.  The caller must supply a buffer of
2914    * sufficient size or we will png_error.  The tests on size and
2915    * the space in ascii[] consumed are indicated below.
2916    */
2917   if (precision < 1)
2918      precision = DBL_DIG;
2919
2920   /* Enforce the limit of the implementation precision too. */
2921   if (precision > DBL_DIG+1)
2922      precision = DBL_DIG+1;
2923
2924   /* Basic sanity checks */
2925   if (size >= precision+5) /* See the requirements below. */
2926   {
2927      if (fp < 0)
2928      {
2929         fp = -fp;
2930         *ascii++ = 45; /* '-'  PLUS 1 TOTAL 1 */
2931         --size;
2932      }
2933
2934      if (fp >= DBL_MIN && fp <= DBL_MAX)
2935      {
2936         int exp_b10;   /* A base 10 exponent */
2937         double base;   /* 10^exp_b10 */
2938
2939         /* First extract a base 10 exponent of the number,
2940          * the calculation below rounds down when converting
2941          * from base 2 to base 10 (multiply by log10(2) -
2942          * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2943          * be increased.  Note that the arithmetic shift
2944          * performs a floor() unlike C arithmetic - using a
2945          * C multiply would break the following for negative
2946          * exponents.
2947          */
2948         (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2949
2950         exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2951
2952         /* Avoid underflow here. */
2953         base = png_pow10(exp_b10); /* May underflow */
2954
2955         while (base < DBL_MIN || base < fp)
2956         {
2957            /* And this may overflow. */
2958            double test = png_pow10(exp_b10+1);
2959
2960            if (test <= DBL_MAX)
2961            {
2962               ++exp_b10; base = test;
2963            }
2964
2965            else
2966               break;
2967         }
2968
2969         /* Normalize fp and correct exp_b10, after this fp is in the
2970          * range [.1,1) and exp_b10 is both the exponent and the digit
2971          * *before* which the decimal point should be inserted
2972          * (starting with 0 for the first digit).  Note that this
2973          * works even if 10^exp_b10 is out of range because of the
2974          * test on DBL_MAX above.
2975          */
2976         fp /= base;
2977         while (fp >= 1)
2978         {
2979            fp /= 10; ++exp_b10;
2980         }
2981
2982         /* Because of the code above fp may, at this point, be
2983          * less than .1, this is ok because the code below can
2984          * handle the leading zeros this generates, so no attempt
2985          * is made to correct that here.
2986          */
2987
2988         {
2989            unsigned int czero, clead, cdigits;
2990            char exponent[10];
2991
2992            /* Allow up to two leading zeros - this will not lengthen
2993             * the number compared to using E-n.
2994             */
2995            if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2996            {
2997               czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */
2998               exp_b10 = 0;      /* Dot added below before first output. */
2999            }
3000            else
3001               czero = 0;    /* No zeros to add */
3002
3003            /* Generate the digit list, stripping trailing zeros and
3004             * inserting a '.' before a digit if the exponent is 0.
3005             */
3006            clead = czero; /* Count of leading zeros */
3007            cdigits = 0;   /* Count of digits in list. */
3008
3009            do
3010            {
3011               double d;
3012
3013               fp *= 10;
3014               /* Use modf here, not floor and subtract, so that
3015                * the separation is done in one step.  At the end
3016                * of the loop don't break the number into parts so
3017                * that the final digit is rounded.
3018                */
3019               if (cdigits+czero+1 < precision+clead)
3020                  fp = modf(fp, &d);
3021
3022               else
3023               {
3024                  d = floor(fp + .5);
3025
3026                  if (d > 9)
3027                  {
3028                     /* Rounding up to 10, handle that here. */
3029                     if (czero > 0)
3030                     {
3031                        --czero; d = 1;
3032                        if (cdigits == 0) --clead;
3033                     }
3034                     else
3035                     {
3036                        while (cdigits > 0 && d > 9)
3037                        {
3038                           int ch = *--ascii;
3039
3040                           if (exp_b10 != (-1))
3041                              ++exp_b10;
3042
3043                           else if (ch == 46)
3044                           {
3045                              ch = *--ascii; ++size;
3046                              /* Advance exp_b10 to '1', so that the
3047                               * decimal point happens after the
3048                               * previous digit.
3049                               */
3050                              exp_b10 = 1;
3051                           }
3052
3053                           --cdigits;
3054                           d = ch - 47;  /* I.e. 1+(ch-48) */
3055                        }
3056
3057                        /* Did we reach the beginning? If so adjust the
3058                         * exponent but take into account the leading
3059                         * decimal point.
3060                         */
3061                        if (d > 9)  /* cdigits == 0 */
3062                        {
3063                           if (exp_b10 == (-1))
3064                           {
3065                              /* Leading decimal point (plus zeros?), if
3066                               * we lose the decimal point here it must
3067                               * be reentered below.
3068                               */
3069                              int ch = *--ascii;
3070
3071                              if (ch == 46)
3072                              {
3073                                 ++size; exp_b10 = 1;
3074                              }
3075
3076                              /* Else lost a leading zero, so 'exp_b10' is
3077                               * still ok at (-1)
3078                               */
3079                           }
3080                           else
3081                              ++exp_b10;
3082
3083                           /* In all cases we output a '1' */
3084                           d = 1;
3085                        }
3086                     }
3087                  }
3088                  fp = 0; /* Guarantees termination below. */
3089               }
3090
3091               if (d == 0)
3092               {
3093                  ++czero;
3094                  if (cdigits == 0) ++clead;
3095               }
3096               else
3097               {
3098                  /* Included embedded zeros in the digit count. */
3099                  cdigits += czero - clead;
3100                  clead = 0;
3101
3102                  while (czero > 0)
3103                  {
3104                     /* exp_b10 == (-1) means we just output the decimal
3105                      * place - after the DP don't adjust 'exp_b10' any
3106                      * more!
3107                      */
3108                     if (exp_b10 != (-1))
3109                     {
3110                        if (exp_b10 == 0)
3111                        {
3112                           *ascii++ = 46; --size;
3113                        }
3114                        /* PLUS 1: TOTAL 4 */
3115                        --exp_b10;
3116                     }
3117                     *ascii++ = 48; --czero;
3118                  }
3119
3120                  if (exp_b10 != (-1))
3121                  {
3122                     if (exp_b10 == 0)
3123                     {
3124                        *ascii++ = 46; --size; /* counted above */
3125                     }
3126
3127                     --exp_b10;
3128                  }
3129                  *ascii++ = (char)(48 + (int)d); ++cdigits;
3130               }
3131            }
3132            while (cdigits+czero < precision+clead && fp > DBL_MIN);
3133
3134            /* The total output count (max) is now 4+precision */
3135
3136            /* Check for an exponent, if we don't need one we are
3137             * done and just need to terminate the string.  At
3138             * this point exp_b10==(-1) is effectively a flag - it got
3139             * to '-1' because of the decrement after outputting
3140             * the decimal point above (the exponent required is
3141             * *not* -1!)
3142             */
3143            if (exp_b10 >= (-1) && exp_b10 <= 2)
3144            {
3145               /* The following only happens if we didn't output the
3146                * leading zeros above for negative exponent, so this
3147                * doesn't add to the digit requirement.  Note that the
3148                * two zeros here can only be output if the two leading
3149                * zeros were *not* output, so this doesn't increase
3150                * the output count.
3151                */
3152               while (exp_b10-- > 0) *ascii++ = 48;
3153
3154               *ascii = 0;
3155
3156               /* Total buffer requirement (including the '\0') is
3157                * 5+precision - see check at the start.
3158                */
3159               return;
3160            }
3161
3162            /* Here if an exponent is required, adjust size for
3163             * the digits we output but did not count.  The total
3164             * digit output here so far is at most 1+precision - no
3165             * decimal point and no leading or trailing zeros have
3166             * been output.
3167             */
3168            size -= cdigits;
3169
3170            *ascii++ = 69; --size;    /* 'E': PLUS 1 TOTAL 2+precision */
3171
3172            /* The following use of an unsigned temporary avoids ambiguities in
3173             * the signed arithmetic on exp_b10 and permits GCC at least to do
3174             * better optimization.
3175             */
3176            {
3177               unsigned int uexp_b10;
3178
3179               if (exp_b10 < 0)
3180               {
3181                  *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */
3182                  uexp_b10 = 0U-exp_b10;
3183               }
3184
3185               else
3186                  uexp_b10 = 0U+exp_b10;
3187
3188               cdigits = 0;
3189
3190               while (uexp_b10 > 0)
3191               {
3192                  exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3193                  uexp_b10 /= 10;
3194               }
3195            }
3196
3197            /* Need another size check here for the exponent digits, so
3198             * this need not be considered above.
3199             */
3200            if (size > cdigits)
3201            {
3202               while (cdigits > 0) *ascii++ = exponent[--cdigits];
3203
3204               *ascii = 0;
3205
3206               return;
3207            }
3208         }
3209      }
3210      else if (!(fp >= DBL_MIN))
3211      {
3212         *ascii++ = 48; /* '0' */
3213         *ascii = 0;
3214         return;
3215      }
3216      else
3217      {
3218         *ascii++ = 105; /* 'i' */
3219         *ascii++ = 110; /* 'n' */
3220         *ascii++ = 102; /* 'f' */
3221         *ascii = 0;
3222         return;
3223      }
3224   }
3225
3226   /* Here on buffer too small. */
3227   png_error(png_ptr, "ASCII conversion buffer too small");
3228}
3229#if GCC_STRICT_OVERFLOW
3230#pragma GCC diagnostic pop
3231#endif /* GCC_STRICT_OVERFLOW */
3232
3233#  endif /* FLOATING_POINT */
3234
3235#  ifdef PNG_FIXED_POINT_SUPPORTED
3236/* Function to format a fixed point value in ASCII.
3237 */
3238void /* PRIVATE */
3239png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3240    png_size_t size, png_fixed_point fp)
3241{
3242   /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3243    * trailing \0, 13 characters:
3244    */
3245   if (size > 12)
3246   {
3247      png_uint_32 num;
3248
3249      /* Avoid overflow here on the minimum integer. */
3250      if (fp < 0)
3251      {
3252         *ascii++ = 45; num = (png_uint_32)(-fp);
3253      }
3254      else
3255         num = (png_uint_32)fp;
3256
3257      if (num <= 0x80000000) /* else overflowed */
3258      {
3259         unsigned int ndigits = 0, first = 16 /* flag value */;
3260         char digits[10];
3261
3262         while (num)
3263         {
3264            /* Split the low digit off num: */
3265            unsigned int tmp = num/10;
3266            num -= tmp*10;
3267            digits[ndigits++] = (char)(48 + num);
3268            /* Record the first non-zero digit, note that this is a number
3269             * starting at 1, it's not actually the array index.
3270             */
3271            if (first == 16 && num > 0)
3272               first = ndigits;
3273            num = tmp;
3274         }
3275
3276         if (ndigits > 0)
3277         {
3278            while (ndigits > 5) *ascii++ = digits[--ndigits];
3279            /* The remaining digits are fractional digits, ndigits is '5' or
3280             * smaller at this point.  It is certainly not zero.  Check for a
3281             * non-zero fractional digit:
3282             */
3283            if (first <= 5)
3284            {
3285               unsigned int i;
3286               *ascii++ = 46; /* decimal point */
3287               /* ndigits may be <5 for small numbers, output leading zeros
3288                * then ndigits digits to first:
3289                */
3290               i = 5;
3291               while (ndigits < i)
3292               {
3293                  *ascii++ = 48; --i;
3294               }
3295               while (ndigits >= first) *ascii++ = digits[--ndigits];
3296               /* Don't output the trailing zeros! */
3297            }
3298         }
3299         else
3300            *ascii++ = 48;
3301
3302         /* And null terminate the string: */
3303         *ascii = 0;
3304         return;
3305      }
3306   }
3307
3308   /* Here on buffer too small. */
3309   png_error(png_ptr, "ASCII conversion buffer too small");
3310}
3311#   endif /* FIXED_POINT */
3312#endif /* SCAL */
3313
3314#if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3315   !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3316   (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3317   defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3318   defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3319   (defined(PNG_sCAL_SUPPORTED) && \
3320   defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3321png_fixed_point
3322png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3323{
3324   double r = floor(100000 * fp + .5);
3325
3326   if (r > 2147483647. || r < -2147483648.)
3327      png_fixed_error(png_ptr, text);
3328
3329#  ifndef PNG_ERROR_TEXT_SUPPORTED
3330   PNG_UNUSED(text)
3331#  endif
3332
3333   return (png_fixed_point)r;
3334}
3335#endif
3336
3337#if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3338    defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3339/* muldiv functions */
3340/* This API takes signed arguments and rounds the result to the nearest
3341 * integer (or, for a fixed point number - the standard argument - to
3342 * the nearest .00001).  Overflow and divide by zero are signalled in
3343 * the result, a boolean - true on success, false on overflow.
3344 */
3345#if GCC_STRICT_OVERFLOW /* from above */
3346/* It is not obvious which comparison below gets optimized in such a way that
3347 * signed overflow would change the result; looking through the code does not
3348 * reveal any tests which have the form GCC complains about, so presumably the
3349 * optimizer is moving an add or subtract into the 'if' somewhere.
3350 */
3351#pragma GCC diagnostic push
3352#pragma GCC diagnostic warning "-Wstrict-overflow=2"
3353#endif /* GCC_STRICT_OVERFLOW */
3354int
3355png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3356    png_int_32 divisor)
3357{
3358   /* Return a * times / divisor, rounded. */
3359   if (divisor != 0)
3360   {
3361      if (a == 0 || times == 0)
3362      {
3363         *res = 0;
3364         return 1;
3365      }
3366      else
3367      {
3368#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3369         double r = a;
3370         r *= times;
3371         r /= divisor;
3372         r = floor(r+.5);
3373
3374         /* A png_fixed_point is a 32-bit integer. */
3375         if (r <= 2147483647. && r >= -2147483648.)
3376         {
3377            *res = (png_fixed_point)r;
3378            return 1;
3379         }
3380#else
3381         int negative = 0;
3382         png_uint_32 A, T, D;
3383         png_uint_32 s16, s32, s00;
3384
3385         if (a < 0)
3386            negative = 1, A = -a;
3387         else
3388            A = a;
3389
3390         if (times < 0)
3391            negative = !negative, T = -times;
3392         else
3393            T = times;
3394
3395         if (divisor < 0)
3396            negative = !negative, D = -divisor;
3397         else
3398            D = divisor;
3399
3400         /* Following can't overflow because the arguments only
3401          * have 31 bits each, however the result may be 32 bits.
3402          */
3403         s16 = (A >> 16) * (T & 0xffff) +
3404                           (A & 0xffff) * (T >> 16);
3405         /* Can't overflow because the a*times bit is only 30
3406          * bits at most.
3407          */
3408         s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3409         s00 = (A & 0xffff) * (T & 0xffff);
3410
3411         s16 = (s16 & 0xffff) << 16;
3412         s00 += s16;
3413
3414         if (s00 < s16)
3415            ++s32; /* carry */
3416
3417         if (s32 < D) /* else overflow */
3418         {
3419            /* s32.s00 is now the 64-bit product, do a standard
3420             * division, we know that s32 < D, so the maximum
3421             * required shift is 31.
3422             */
3423            int bitshift = 32;
3424            png_fixed_point result = 0; /* NOTE: signed */
3425
3426            while (--bitshift >= 0)
3427            {
3428               png_uint_32 d32, d00;
3429
3430               if (bitshift > 0)
3431                  d32 = D >> (32-bitshift), d00 = D << bitshift;
3432
3433               else
3434                  d32 = 0, d00 = D;
3435
3436               if (s32 > d32)
3437               {
3438                  if (s00 < d00) --s32; /* carry */
3439                  s32 -= d32, s00 -= d00, result += 1<<bitshift;
3440               }
3441
3442               else
3443                  if (s32 == d32 && s00 >= d00)
3444                     s32 = 0, s00 -= d00, result += 1<<bitshift;
3445            }
3446
3447            /* Handle the rounding. */
3448            if (s00 >= (D >> 1))
3449               ++result;
3450
3451            if (negative != 0)
3452               result = -result;
3453
3454            /* Check for overflow. */
3455            if ((negative != 0 && result <= 0) ||
3456                (negative == 0 && result >= 0))
3457            {
3458               *res = result;
3459               return 1;
3460            }
3461         }
3462#endif
3463      }
3464   }
3465
3466   return 0;
3467}
3468#if GCC_STRICT_OVERFLOW
3469#pragma GCC diagnostic pop
3470#endif /* GCC_STRICT_OVERFLOW */
3471#endif /* READ_GAMMA || INCH_CONVERSIONS */
3472
3473#if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3474/* The following is for when the caller doesn't much care about the
3475 * result.
3476 */
3477png_fixed_point
3478png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3479    png_int_32 divisor)
3480{
3481   png_fixed_point result;
3482
3483   if (png_muldiv(&result, a, times, divisor) != 0)
3484      return result;
3485
3486   png_warning(png_ptr, "fixed point overflow ignored");
3487   return 0;
3488}
3489#endif
3490
3491#ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3492/* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3493png_fixed_point
3494png_reciprocal(png_fixed_point a)
3495{
3496#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3497   double r = floor(1E10/a+.5);
3498
3499   if (r <= 2147483647. && r >= -2147483648.)
3500      return (png_fixed_point)r;
3501#else
3502   png_fixed_point res;
3503
3504   if (png_muldiv(&res, 100000, 100000, a) != 0)
3505      return res;
3506#endif
3507
3508   return 0; /* error/overflow */
3509}
3510
3511/* This is the shared test on whether a gamma value is 'significant' - whether
3512 * it is worth doing gamma correction.
3513 */
3514int /* PRIVATE */
3515png_gamma_significant(png_fixed_point gamma_val)
3516{
3517   return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3518       gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3519}
3520#endif
3521
3522#ifdef PNG_READ_GAMMA_SUPPORTED
3523#ifdef PNG_16BIT_SUPPORTED
3524/* A local convenience routine. */
3525static png_fixed_point
3526png_product2(png_fixed_point a, png_fixed_point b)
3527{
3528   /* The required result is 1/a * 1/b; the following preserves accuracy. */
3529#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3530   double r = a * 1E-5;
3531   r *= b;
3532   r = floor(r+.5);
3533
3534   if (r <= 2147483647. && r >= -2147483648.)
3535      return (png_fixed_point)r;
3536#else
3537   png_fixed_point res;
3538
3539   if (png_muldiv(&res, a, b, 100000) != 0)
3540      return res;
3541#endif
3542
3543   return 0; /* overflow */
3544}
3545#endif /* 16BIT */
3546
3547/* The inverse of the above. */
3548png_fixed_point
3549png_reciprocal2(png_fixed_point a, png_fixed_point b)
3550{
3551   /* The required result is 1/a * 1/b; the following preserves accuracy. */
3552#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3553   if (a != 0 && b != 0)
3554   {
3555      double r = 1E15/a;
3556      r /= b;
3557      r = floor(r+.5);
3558
3559      if (r <= 2147483647. && r >= -2147483648.)
3560         return (png_fixed_point)r;
3561   }
3562#else
3563   /* This may overflow because the range of png_fixed_point isn't symmetric,
3564    * but this API is only used for the product of file and screen gamma so it
3565    * doesn't matter that the smallest number it can produce is 1/21474, not
3566    * 1/100000
3567    */
3568   png_fixed_point res = png_product2(a, b);
3569
3570   if (res != 0)
3571      return png_reciprocal(res);
3572#endif
3573
3574   return 0; /* overflow */
3575}
3576#endif /* READ_GAMMA */
3577
3578#ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3579#ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3580/* Fixed point gamma.
3581 *
3582 * The code to calculate the tables used below can be found in the shell script
3583 * contrib/tools/intgamma.sh
3584 *
3585 * To calculate gamma this code implements fast log() and exp() calls using only
3586 * fixed point arithmetic.  This code has sufficient precision for either 8-bit
3587 * or 16-bit sample values.
3588 *
3589 * The tables used here were calculated using simple 'bc' programs, but C double
3590 * precision floating point arithmetic would work fine.
3591 *
3592 * 8-bit log table
3593 *   This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3594 *   255, so it's the base 2 logarithm of a normalized 8-bit floating point
3595 *   mantissa.  The numbers are 32-bit fractions.
3596 */
3597static const png_uint_32
3598png_8bit_l2[128] =
3599{
3600   4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3601   3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3602   3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3603   3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3604   3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3605   2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3606   2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3607   2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3608   2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3609   2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3610   1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3611   1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3612   1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3613   1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3614   1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3615   971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3616   803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3617   639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3618   479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3619   324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3620   172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3621   24347096U, 0U
3622
3623#if 0
3624   /* The following are the values for 16-bit tables - these work fine for the
3625    * 8-bit conversions but produce very slightly larger errors in the 16-bit
3626    * log (about 1.2 as opposed to 0.7 absolute error in the final value).  To
3627    * use these all the shifts below must be adjusted appropriately.
3628    */
3629   65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3630   57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3631   50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3632   43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3633   37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3634   31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3635   25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3636   20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3637   15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3638   10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3639   6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3640   1119, 744, 372
3641#endif
3642};
3643
3644static png_int_32
3645png_log8bit(unsigned int x)
3646{
3647   unsigned int lg2 = 0;
3648   /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3649    * because the log is actually negate that means adding 1.  The final
3650    * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3651    * input), return -1 for the overflow (log 0) case, - so the result is
3652    * always at most 19 bits.
3653    */
3654   if ((x &= 0xff) == 0)
3655      return -1;
3656
3657   if ((x & 0xf0) == 0)
3658      lg2  = 4, x <<= 4;
3659
3660   if ((x & 0xc0) == 0)
3661      lg2 += 2, x <<= 2;
3662
3663   if ((x & 0x80) == 0)
3664      lg2 += 1, x <<= 1;
3665
3666   /* result is at most 19 bits, so this cast is safe: */
3667   return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3668}
3669
3670/* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3671 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3672 * get an approximation then multiply the approximation by a correction factor
3673 * determined by the remaining up to 8 bits.  This requires an additional step
3674 * in the 16-bit case.
3675 *
3676 * We want log2(value/65535), we have log2(v'/255), where:
3677 *
3678 *    value = v' * 256 + v''
3679 *          = v' * f
3680 *
3681 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3682 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3683 * than 258.  The final factor also needs to correct for the fact that our 8-bit
3684 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3685 *
3686 * This gives a final formula using a calculated value 'x' which is value/v' and
3687 * scaling by 65536 to match the above table:
3688 *
3689 *   log2(x/257) * 65536
3690 *
3691 * Since these numbers are so close to '1' we can use simple linear
3692 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3693 * (result 367.179).  The values used below are scaled by a further 64 to give
3694 * 16-bit precision in the interpolation:
3695 *
3696 * Start (256): -23591
3697 * Zero  (257):      0
3698 * End   (258):  23499
3699 */
3700#ifdef PNG_16BIT_SUPPORTED
3701static png_int_32
3702png_log16bit(png_uint_32 x)
3703{
3704   unsigned int lg2 = 0;
3705
3706   /* As above, but now the input has 16 bits. */
3707   if ((x &= 0xffff) == 0)
3708      return -1;
3709
3710   if ((x & 0xff00) == 0)
3711      lg2  = 8, x <<= 8;
3712
3713   if ((x & 0xf000) == 0)
3714      lg2 += 4, x <<= 4;
3715
3716   if ((x & 0xc000) == 0)
3717      lg2 += 2, x <<= 2;
3718
3719   if ((x & 0x8000) == 0)
3720      lg2 += 1, x <<= 1;
3721
3722   /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3723    * value.
3724    */
3725   lg2 <<= 28;
3726   lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3727
3728   /* Now we need to interpolate the factor, this requires a division by the top
3729    * 8 bits.  Do this with maximum precision.
3730    */
3731   x = ((x << 16) + (x >> 9)) / (x >> 8);
3732
3733   /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3734    * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3735    * 16 bits to interpolate to get the low bits of the result.  Round the
3736    * answer.  Note that the end point values are scaled by 64 to retain overall
3737    * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3738    * the overall scaling by 6-12.  Round at every step.
3739    */
3740   x -= 1U << 24;
3741
3742   if (x <= 65536U) /* <= '257' */
3743      lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3744
3745   else
3746      lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3747
3748   /* Safe, because the result can't have more than 20 bits: */
3749   return (png_int_32)((lg2 + 2048) >> 12);
3750}
3751#endif /* 16BIT */
3752
3753/* The 'exp()' case must invert the above, taking a 20-bit fixed point
3754 * logarithmic value and returning a 16 or 8-bit number as appropriate.  In
3755 * each case only the low 16 bits are relevant - the fraction - since the
3756 * integer bits (the top 4) simply determine a shift.
3757 *
3758 * The worst case is the 16-bit distinction between 65535 and 65534. This
3759 * requires perhaps spurious accuracy in the decoding of the logarithm to
3760 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits.  There is little chance
3761 * of getting this accuracy in practice.
3762 *
3763 * To deal with this the following exp() function works out the exponent of the
3764 * fractional part of the logarithm by using an accurate 32-bit value from the
3765 * top four fractional bits then multiplying in the remaining bits.
3766 */
3767static const png_uint_32
3768png_32bit_exp[16] =
3769{
3770   /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3771   4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3772   3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3773   2553802834U, 2445529972U, 2341847524U, 2242560872U
3774};
3775
3776/* Adjustment table; provided to explain the numbers in the code below. */
3777#if 0
3778for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3779   11 44937.64284865548751208448
3780   10 45180.98734845585101160448
3781    9 45303.31936980687359311872
3782    8 45364.65110595323018870784
3783    7 45395.35850361789624614912
3784    6 45410.72259715102037508096
3785    5 45418.40724413220722311168
3786    4 45422.25021786898173001728
3787    3 45424.17186732298419044352
3788    2 45425.13273269940811464704
3789    1 45425.61317555035558641664
3790    0 45425.85339951654943850496
3791#endif
3792
3793static png_uint_32
3794png_exp(png_fixed_point x)
3795{
3796   if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3797   {
3798      /* Obtain a 4-bit approximation */
3799      png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3800
3801      /* Incorporate the low 12 bits - these decrease the returned value by
3802       * multiplying by a number less than 1 if the bit is set.  The multiplier
3803       * is determined by the above table and the shift. Notice that the values
3804       * converge on 45426 and this is used to allow linear interpolation of the
3805       * low bits.
3806       */
3807      if (x & 0x800)
3808         e -= (((e >> 16) * 44938U) +  16U) >> 5;
3809
3810      if (x & 0x400)
3811         e -= (((e >> 16) * 45181U) +  32U) >> 6;
3812
3813      if (x & 0x200)
3814         e -= (((e >> 16) * 45303U) +  64U) >> 7;
3815
3816      if (x & 0x100)
3817         e -= (((e >> 16) * 45365U) + 128U) >> 8;
3818
3819      if (x & 0x080)
3820         e -= (((e >> 16) * 45395U) + 256U) >> 9;
3821
3822      if (x & 0x040)
3823         e -= (((e >> 16) * 45410U) + 512U) >> 10;
3824
3825      /* And handle the low 6 bits in a single block. */
3826      e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3827
3828      /* Handle the upper bits of x. */
3829      e >>= x >> 16;
3830      return e;
3831   }
3832
3833   /* Check for overflow */
3834   if (x <= 0)
3835      return png_32bit_exp[0];
3836
3837   /* Else underflow */
3838   return 0;
3839}
3840
3841static png_byte
3842png_exp8bit(png_fixed_point lg2)
3843{
3844   /* Get a 32-bit value: */
3845   png_uint_32 x = png_exp(lg2);
3846
3847   /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3848    * second, rounding, step can't overflow because of the first, subtraction,
3849    * step.
3850    */
3851   x -= x >> 8;
3852   return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3853}
3854
3855#ifdef PNG_16BIT_SUPPORTED
3856static png_uint_16
3857png_exp16bit(png_fixed_point lg2)
3858{
3859   /* Get a 32-bit value: */
3860   png_uint_32 x = png_exp(lg2);
3861
3862   /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3863   x -= x >> 16;
3864   return (png_uint_16)((x + 32767U) >> 16);
3865}
3866#endif /* 16BIT */
3867#endif /* FLOATING_ARITHMETIC */
3868
3869png_byte
3870png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3871{
3872   if (value > 0 && value < 255)
3873   {
3874#     ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3875         /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3876          * convert this to a floating point value.  This includes values that
3877          * would overflow if 'value' were to be converted to 'int'.
3878          *
3879          * Apparently GCC, however, does an intermediate conversion to (int)
3880          * on some (ARM) but not all (x86) platforms, possibly because of
3881          * hardware FP limitations.  (E.g. if the hardware conversion always
3882          * assumes the integer register contains a signed value.)  This results
3883          * in ANSI-C undefined behavior for large values.
3884          *
3885          * Other implementations on the same machine might actually be ANSI-C90
3886          * conformant and therefore compile spurious extra code for the large
3887          * values.
3888          *
3889          * We can be reasonably sure that an unsigned to float conversion
3890          * won't be faster than an int to float one.  Therefore this code
3891          * assumes responsibility for the undefined behavior, which it knows
3892          * can't happen because of the check above.
3893          *
3894          * Note the argument to this routine is an (unsigned int) because, on
3895          * 16-bit platforms, it is assigned a value which might be out of
3896          * range for an (int); that would result in undefined behavior in the
3897          * caller if the *argument* ('value') were to be declared (int).
3898          */
3899         double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3900         return (png_byte)r;
3901#     else
3902         png_int_32 lg2 = png_log8bit(value);
3903         png_fixed_point res;
3904
3905         if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3906            return png_exp8bit(res);
3907
3908         /* Overflow. */
3909         value = 0;
3910#     endif
3911   }
3912
3913   return (png_byte)(value & 0xff);
3914}
3915
3916#ifdef PNG_16BIT_SUPPORTED
3917png_uint_16
3918png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3919{
3920   if (value > 0 && value < 65535)
3921   {
3922# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3923      /* The same (unsigned int)->(double) constraints apply here as above,
3924       * however in this case the (unsigned int) to (int) conversion can
3925       * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3926       * that this is not possible.
3927       */
3928      double r = floor(65535*pow((png_int_32)value/65535.,
3929          gamma_val*.00001)+.5);
3930      return (png_uint_16)r;
3931# else
3932      png_int_32 lg2 = png_log16bit(value);
3933      png_fixed_point res;
3934
3935      if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3936         return png_exp16bit(res);
3937
3938      /* Overflow. */
3939      value = 0;
3940# endif
3941   }
3942
3943   return (png_uint_16)value;
3944}
3945#endif /* 16BIT */
3946
3947/* This does the right thing based on the bit_depth field of the
3948 * png_struct, interpreting values as 8-bit or 16-bit.  While the result
3949 * is nominally a 16-bit value if bit depth is 8 then the result is
3950 * 8-bit (as are the arguments.)
3951 */
3952png_uint_16 /* PRIVATE */
3953png_gamma_correct(png_structrp png_ptr, unsigned int value,
3954    png_fixed_point gamma_val)
3955{
3956   if (png_ptr->bit_depth == 8)
3957      return png_gamma_8bit_correct(value, gamma_val);
3958
3959#ifdef PNG_16BIT_SUPPORTED
3960   else
3961      return png_gamma_16bit_correct(value, gamma_val);
3962#else
3963      /* should not reach this */
3964      return 0;
3965#endif /* 16BIT */
3966}
3967
3968#ifdef PNG_16BIT_SUPPORTED
3969/* Internal function to build a single 16-bit table - the table consists of
3970 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3971 * to shift the input values right (or 16-number_of_signifiant_bits).
3972 *
3973 * The caller is responsible for ensuring that the table gets cleaned up on
3974 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3975 * should be somewhere that will be cleaned.
3976 */
3977static void
3978png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
3979    PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
3980{
3981   /* Various values derived from 'shift': */
3982   PNG_CONST unsigned int num = 1U << (8U - shift);
3983#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3984   /* CSE the division and work round wacky GCC warnings (see the comments
3985    * in png_gamma_8bit_correct for where these come from.)
3986    */
3987   PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1);
3988#endif
3989   PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
3990   PNG_CONST unsigned int max_by_2 = 1U << (15U-shift);
3991   unsigned int i;
3992
3993   png_uint_16pp table = *ptable =
3994       (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3995
3996   for (i = 0; i < num; i++)
3997   {
3998      png_uint_16p sub_table = table[i] =
3999          (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
4000
4001      /* The 'threshold' test is repeated here because it can arise for one of
4002       * the 16-bit tables even if the others don't hit it.
4003       */
4004      if (png_gamma_significant(gamma_val) != 0)
4005      {
4006         /* The old code would overflow at the end and this would cause the
4007          * 'pow' function to return a result >1, resulting in an
4008          * arithmetic error.  This code follows the spec exactly; ig is
4009          * the recovered input sample, it always has 8-16 bits.
4010          *
4011          * We want input * 65535/max, rounded, the arithmetic fits in 32
4012          * bits (unsigned) so long as max <= 32767.
4013          */
4014         unsigned int j;
4015         for (j = 0; j < 256; j++)
4016         {
4017            png_uint_32 ig = (j << (8-shift)) + i;
4018#           ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4019               /* Inline the 'max' scaling operation: */
4020               /* See png_gamma_8bit_correct for why the cast to (int) is
4021                * required here.
4022                */
4023               double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
4024               sub_table[j] = (png_uint_16)d;
4025#           else
4026               if (shift != 0)
4027                  ig = (ig * 65535U + max_by_2)/max;
4028
4029               sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
4030#           endif
4031         }
4032      }
4033      else
4034      {
4035         /* We must still build a table, but do it the fast way. */
4036         unsigned int j;
4037
4038         for (j = 0; j < 256; j++)
4039         {
4040            png_uint_32 ig = (j << (8-shift)) + i;
4041
4042            if (shift != 0)
4043               ig = (ig * 65535U + max_by_2)/max;
4044
4045            sub_table[j] = (png_uint_16)ig;
4046         }
4047      }
4048   }
4049}
4050
4051/* NOTE: this function expects the *inverse* of the overall gamma transformation
4052 * required.
4053 */
4054static void
4055png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4056    PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
4057{
4058   PNG_CONST unsigned int num = 1U << (8U - shift);
4059   PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
4060   unsigned int i;
4061   png_uint_32 last;
4062
4063   png_uint_16pp table = *ptable =
4064       (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4065
4066   /* 'num' is the number of tables and also the number of low bits of low
4067    * bits of the input 16-bit value used to select a table.  Each table is
4068    * itself indexed by the high 8 bits of the value.
4069    */
4070   for (i = 0; i < num; i++)
4071      table[i] = (png_uint_16p)png_malloc(png_ptr,
4072          256 * (sizeof (png_uint_16)));
4073
4074   /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4075    * pow(out,g) is an *input* value.  'last' is the last input value set.
4076    *
4077    * In the loop 'i' is used to find output values.  Since the output is
4078    * 8-bit there are only 256 possible values.  The tables are set up to
4079    * select the closest possible output value for each input by finding
4080    * the input value at the boundary between each pair of output values
4081    * and filling the table up to that boundary with the lower output
4082    * value.
4083    *
4084    * The boundary values are 0.5,1.5..253.5,254.5.  Since these are 9-bit
4085    * values the code below uses a 16-bit value in i; the values start at
4086    * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4087    * entries are filled with 255).  Start i at 128 and fill all 'last'
4088    * table entries <= 'max'
4089    */
4090   last = 0;
4091   for (i = 0; i < 255; ++i) /* 8-bit output value */
4092   {
4093      /* Find the corresponding maximum input value */
4094      png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4095
4096      /* Find the boundary value in 16 bits: */
4097      png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4098
4099      /* Adjust (round) to (16-shift) bits: */
4100      bound = (bound * max + 32768U)/65535U + 1U;
4101
4102      while (last < bound)
4103      {
4104         table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4105         last++;
4106      }
4107   }
4108
4109   /* And fill in the final entries. */
4110   while (last < (num << 8))
4111   {
4112      table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4113      last++;
4114   }
4115}
4116#endif /* 16BIT */
4117
4118/* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4119 * typically much faster).  Note that libpng currently does no sBIT processing
4120 * (apparently contrary to the spec) so a 256-entry table is always generated.
4121 */
4122static void
4123png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4124    PNG_CONST png_fixed_point gamma_val)
4125{
4126   unsigned int i;
4127   png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4128
4129   if (png_gamma_significant(gamma_val) != 0)
4130      for (i=0; i<256; i++)
4131         table[i] = png_gamma_8bit_correct(i, gamma_val);
4132
4133   else
4134      for (i=0; i<256; ++i)
4135         table[i] = (png_byte)(i & 0xff);
4136}
4137
4138/* Used from png_read_destroy and below to release the memory used by the gamma
4139 * tables.
4140 */
4141void /* PRIVATE */
4142png_destroy_gamma_table(png_structrp png_ptr)
4143{
4144   png_free(png_ptr, png_ptr->gamma_table);
4145   png_ptr->gamma_table = NULL;
4146
4147#ifdef PNG_16BIT_SUPPORTED
4148   if (png_ptr->gamma_16_table != NULL)
4149   {
4150      int i;
4151      int istop = (1 << (8 - png_ptr->gamma_shift));
4152      for (i = 0; i < istop; i++)
4153      {
4154         png_free(png_ptr, png_ptr->gamma_16_table[i]);
4155      }
4156   png_free(png_ptr, png_ptr->gamma_16_table);
4157   png_ptr->gamma_16_table = NULL;
4158   }
4159#endif /* 16BIT */
4160
4161#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4162   defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4163   defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4164   png_free(png_ptr, png_ptr->gamma_from_1);
4165   png_ptr->gamma_from_1 = NULL;
4166   png_free(png_ptr, png_ptr->gamma_to_1);
4167   png_ptr->gamma_to_1 = NULL;
4168
4169#ifdef PNG_16BIT_SUPPORTED
4170   if (png_ptr->gamma_16_from_1 != NULL)
4171   {
4172      int i;
4173      int istop = (1 << (8 - png_ptr->gamma_shift));
4174      for (i = 0; i < istop; i++)
4175      {
4176         png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4177      }
4178   png_free(png_ptr, png_ptr->gamma_16_from_1);
4179   png_ptr->gamma_16_from_1 = NULL;
4180   }
4181   if (png_ptr->gamma_16_to_1 != NULL)
4182   {
4183      int i;
4184      int istop = (1 << (8 - png_ptr->gamma_shift));
4185      for (i = 0; i < istop; i++)
4186      {
4187         png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4188      }
4189   png_free(png_ptr, png_ptr->gamma_16_to_1);
4190   png_ptr->gamma_16_to_1 = NULL;
4191   }
4192#endif /* 16BIT */
4193#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4194}
4195
4196/* We build the 8- or 16-bit gamma tables here.  Note that for 16-bit
4197 * tables, we don't make a full table if we are reducing to 8-bit in
4198 * the future.  Note also how the gamma_16 tables are segmented so that
4199 * we don't need to allocate > 64K chunks for a full 16-bit table.
4200 */
4201void /* PRIVATE */
4202png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4203{
4204   png_debug(1, "in png_build_gamma_table");
4205
4206   /* Remove any existing table; this copes with multiple calls to
4207    * png_read_update_info. The warning is because building the gamma tables
4208    * multiple times is a performance hit - it's harmless but the ability to
4209    * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4210    * sensible to warn if the app introduces such a hit.
4211    */
4212   if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4213   {
4214      png_warning(png_ptr, "gamma table being rebuilt");
4215      png_destroy_gamma_table(png_ptr);
4216   }
4217
4218   if (bit_depth <= 8)
4219   {
4220      png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4221          png_ptr->screen_gamma > 0 ?
4222          png_reciprocal2(png_ptr->colorspace.gamma,
4223          png_ptr->screen_gamma) : PNG_FP_1);
4224
4225#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4226   defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4227   defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4228      if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4229      {
4230         png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4231             png_reciprocal(png_ptr->colorspace.gamma));
4232
4233         png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4234             png_ptr->screen_gamma > 0 ?
4235             png_reciprocal(png_ptr->screen_gamma) :
4236             png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4237      }
4238#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4239   }
4240#ifdef PNG_16BIT_SUPPORTED
4241   else
4242   {
4243      png_byte shift, sig_bit;
4244
4245      if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4246      {
4247         sig_bit = png_ptr->sig_bit.red;
4248
4249         if (png_ptr->sig_bit.green > sig_bit)
4250            sig_bit = png_ptr->sig_bit.green;
4251
4252         if (png_ptr->sig_bit.blue > sig_bit)
4253            sig_bit = png_ptr->sig_bit.blue;
4254      }
4255      else
4256         sig_bit = png_ptr->sig_bit.gray;
4257
4258      /* 16-bit gamma code uses this equation:
4259       *
4260       *   ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4261       *
4262       * Where 'iv' is the input color value and 'ov' is the output value -
4263       * pow(iv, gamma).
4264       *
4265       * Thus the gamma table consists of up to 256 256-entry tables.  The table
4266       * is selected by the (8-gamma_shift) most significant of the low 8 bits
4267       * of the color value then indexed by the upper 8 bits:
4268       *
4269       *   table[low bits][high 8 bits]
4270       *
4271       * So the table 'n' corresponds to all those 'iv' of:
4272       *
4273       *   <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4274       *
4275       */
4276      if (sig_bit > 0 && sig_bit < 16U)
4277         /* shift == insignificant bits */
4278         shift = (png_byte)((16U - sig_bit) & 0xff);
4279
4280      else
4281         shift = 0; /* keep all 16 bits */
4282
4283      if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4284      {
4285         /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4286          * the significant bits in the *input* when the output will
4287          * eventually be 8 bits.  By default it is 11.
4288          */
4289         if (shift < (16U - PNG_MAX_GAMMA_8))
4290            shift = (16U - PNG_MAX_GAMMA_8);
4291      }
4292
4293      if (shift > 8U)
4294         shift = 8U; /* Guarantees at least one table! */
4295
4296      png_ptr->gamma_shift = shift;
4297
4298      /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4299       * PNG_COMPOSE).  This effectively smashed the background calculation for
4300       * 16-bit output because the 8-bit table assumes the result will be
4301       * reduced to 8 bits.
4302       */
4303      if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4304          png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4305          png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4306          png_ptr->screen_gamma) : PNG_FP_1);
4307
4308      else
4309          png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4310          png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4311          png_ptr->screen_gamma) : PNG_FP_1);
4312
4313#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4314   defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4315   defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4316      if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4317      {
4318         png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4319             png_reciprocal(png_ptr->colorspace.gamma));
4320
4321         /* Notice that the '16 from 1' table should be full precision, however
4322          * the lookup on this table still uses gamma_shift, so it can't be.
4323          * TODO: fix this.
4324          */
4325         png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4326             png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4327             png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4328      }
4329#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4330   }
4331#endif /* 16BIT */
4332}
4333#endif /* READ_GAMMA */
4334
4335/* HARDWARE OR SOFTWARE OPTION SUPPORT */
4336#ifdef PNG_SET_OPTION_SUPPORTED
4337int PNGAPI
4338png_set_option(png_structrp png_ptr, int option, int onoff)
4339{
4340   if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4341      (option & 1) == 0)
4342   {
4343      png_uint_32 mask = 3U << option;
4344      png_uint_32 setting = (2U + (onoff != 0)) << option;
4345      png_uint_32 current = png_ptr->options;
4346
4347      png_ptr->options = (png_uint_32)(((current & ~mask) | setting) & 0xff);
4348
4349      return (int)(current & mask) >> option;
4350   }
4351
4352   return PNG_OPTION_INVALID;
4353}
4354#endif
4355
4356/* sRGB support */
4357#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4358   defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4359/* sRGB conversion tables; these are machine generated with the code in
4360 * contrib/tools/makesRGB.c.  The actual sRGB transfer curve defined in the
4361 * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4362 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4363 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4364 * The inverse (linear to sRGB) table has accuracies as follows:
4365 *
4366 * For all possible (255*65535+1) input values:
4367 *
4368 *    error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4369 *
4370 * For the input values corresponding to the 65536 16-bit values:
4371 *
4372 *    error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4373 *
4374 * In all cases the inexact readings are only off by one.
4375 */
4376
4377#ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4378/* The convert-to-sRGB table is only currently required for read. */
4379const png_uint_16 png_sRGB_table[256] =
4380{
4381   0,20,40,60,80,99,119,139,
4382   159,179,199,219,241,264,288,313,
4383   340,367,396,427,458,491,526,562,
4384   599,637,677,718,761,805,851,898,
4385   947,997,1048,1101,1156,1212,1270,1330,
4386   1391,1453,1517,1583,1651,1720,1790,1863,
4387   1937,2013,2090,2170,2250,2333,2418,2504,
4388   2592,2681,2773,2866,2961,3058,3157,3258,
4389   3360,3464,3570,3678,3788,3900,4014,4129,
4390   4247,4366,4488,4611,4736,4864,4993,5124,
4391   5257,5392,5530,5669,5810,5953,6099,6246,
4392   6395,6547,6700,6856,7014,7174,7335,7500,
4393   7666,7834,8004,8177,8352,8528,8708,8889,
4394   9072,9258,9445,9635,9828,10022,10219,10417,
4395   10619,10822,11028,11235,11446,11658,11873,12090,
4396   12309,12530,12754,12980,13209,13440,13673,13909,
4397   14146,14387,14629,14874,15122,15371,15623,15878,
4398   16135,16394,16656,16920,17187,17456,17727,18001,
4399   18277,18556,18837,19121,19407,19696,19987,20281,
4400   20577,20876,21177,21481,21787,22096,22407,22721,
4401   23038,23357,23678,24002,24329,24658,24990,25325,
4402   25662,26001,26344,26688,27036,27386,27739,28094,
4403   28452,28813,29176,29542,29911,30282,30656,31033,
4404   31412,31794,32179,32567,32957,33350,33745,34143,
4405   34544,34948,35355,35764,36176,36591,37008,37429,
4406   37852,38278,38706,39138,39572,40009,40449,40891,
4407   41337,41785,42236,42690,43147,43606,44069,44534,
4408   45002,45473,45947,46423,46903,47385,47871,48359,
4409   48850,49344,49841,50341,50844,51349,51858,52369,
4410   52884,53401,53921,54445,54971,55500,56032,56567,
4411   57105,57646,58190,58737,59287,59840,60396,60955,
4412   61517,62082,62650,63221,63795,64372,64952,65535
4413};
4414#endif /* SIMPLIFIED_READ */
4415
4416/* The base/delta tables are required for both read and write (but currently
4417 * only the simplified versions.)
4418 */
4419const png_uint_16 png_sRGB_base[512] =
4420{
4421   128,1782,3383,4644,5675,6564,7357,8074,
4422   8732,9346,9921,10463,10977,11466,11935,12384,
4423   12816,13233,13634,14024,14402,14769,15125,15473,
4424   15812,16142,16466,16781,17090,17393,17690,17981,
4425   18266,18546,18822,19093,19359,19621,19879,20133,
4426   20383,20630,20873,21113,21349,21583,21813,22041,
4427   22265,22487,22707,22923,23138,23350,23559,23767,
4428   23972,24175,24376,24575,24772,24967,25160,25352,
4429   25542,25730,25916,26101,26284,26465,26645,26823,
4430   27000,27176,27350,27523,27695,27865,28034,28201,
4431   28368,28533,28697,28860,29021,29182,29341,29500,
4432   29657,29813,29969,30123,30276,30429,30580,30730,
4433   30880,31028,31176,31323,31469,31614,31758,31902,
4434   32045,32186,32327,32468,32607,32746,32884,33021,
4435   33158,33294,33429,33564,33697,33831,33963,34095,
4436   34226,34357,34486,34616,34744,34873,35000,35127,
4437   35253,35379,35504,35629,35753,35876,35999,36122,
4438   36244,36365,36486,36606,36726,36845,36964,37083,
4439   37201,37318,37435,37551,37668,37783,37898,38013,
4440   38127,38241,38354,38467,38580,38692,38803,38915,
4441   39026,39136,39246,39356,39465,39574,39682,39790,
4442   39898,40005,40112,40219,40325,40431,40537,40642,
4443   40747,40851,40955,41059,41163,41266,41369,41471,
4444   41573,41675,41777,41878,41979,42079,42179,42279,
4445   42379,42478,42577,42676,42775,42873,42971,43068,
4446   43165,43262,43359,43456,43552,43648,43743,43839,
4447   43934,44028,44123,44217,44311,44405,44499,44592,
4448   44685,44778,44870,44962,45054,45146,45238,45329,
4449   45420,45511,45601,45692,45782,45872,45961,46051,
4450   46140,46229,46318,46406,46494,46583,46670,46758,
4451   46846,46933,47020,47107,47193,47280,47366,47452,
4452   47538,47623,47709,47794,47879,47964,48048,48133,
4453   48217,48301,48385,48468,48552,48635,48718,48801,
4454   48884,48966,49048,49131,49213,49294,49376,49458,
4455   49539,49620,49701,49782,49862,49943,50023,50103,
4456   50183,50263,50342,50422,50501,50580,50659,50738,
4457   50816,50895,50973,51051,51129,51207,51285,51362,
4458   51439,51517,51594,51671,51747,51824,51900,51977,
4459   52053,52129,52205,52280,52356,52432,52507,52582,
4460   52657,52732,52807,52881,52956,53030,53104,53178,
4461   53252,53326,53400,53473,53546,53620,53693,53766,
4462   53839,53911,53984,54056,54129,54201,54273,54345,
4463   54417,54489,54560,54632,54703,54774,54845,54916,
4464   54987,55058,55129,55199,55269,55340,55410,55480,
4465   55550,55620,55689,55759,55828,55898,55967,56036,
4466   56105,56174,56243,56311,56380,56448,56517,56585,
4467   56653,56721,56789,56857,56924,56992,57059,57127,
4468   57194,57261,57328,57395,57462,57529,57595,57662,
4469   57728,57795,57861,57927,57993,58059,58125,58191,
4470   58256,58322,58387,58453,58518,58583,58648,58713,
4471   58778,58843,58908,58972,59037,59101,59165,59230,
4472   59294,59358,59422,59486,59549,59613,59677,59740,
4473   59804,59867,59930,59993,60056,60119,60182,60245,
4474   60308,60370,60433,60495,60558,60620,60682,60744,
4475   60806,60868,60930,60992,61054,61115,61177,61238,
4476   61300,61361,61422,61483,61544,61605,61666,61727,
4477   61788,61848,61909,61969,62030,62090,62150,62211,
4478   62271,62331,62391,62450,62510,62570,62630,62689,
4479   62749,62808,62867,62927,62986,63045,63104,63163,
4480   63222,63281,63340,63398,63457,63515,63574,63632,
4481   63691,63749,63807,63865,63923,63981,64039,64097,
4482   64155,64212,64270,64328,64385,64443,64500,64557,
4483   64614,64672,64729,64786,64843,64900,64956,65013,
4484   65070,65126,65183,65239,65296,65352,65409,65465
4485};
4486
4487const png_byte png_sRGB_delta[512] =
4488{
4489   207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4490   52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4491   35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4492   28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4493   23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4494   21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4495   19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4496   17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4497   16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4498   15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4499   14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4500   13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4501   12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4502   12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4503   11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4504   11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4505   11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4506   10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4507   10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4508   10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4509   9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4510   9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4511   9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4512   9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4513   8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4514   8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4515   8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4516   8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4517   8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4518   7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4519   7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4520   7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4521};
4522#endif /* SIMPLIFIED READ/WRITE sRGB support */
4523
4524/* SIMPLIFIED READ/WRITE SUPPORT */
4525#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4526   defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4527static int
4528png_image_free_function(png_voidp argument)
4529{
4530   png_imagep image = png_voidcast(png_imagep, argument);
4531   png_controlp cp = image->opaque;
4532   png_control c;
4533
4534   /* Double check that we have a png_ptr - it should be impossible to get here
4535    * without one.
4536    */
4537   if (cp->png_ptr == NULL)
4538      return 0;
4539
4540   /* First free any data held in the control structure. */
4541#  ifdef PNG_STDIO_SUPPORTED
4542      if (cp->owned_file != 0)
4543      {
4544         FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4545         cp->owned_file = 0;
4546
4547         /* Ignore errors here. */
4548         if (fp != NULL)
4549         {
4550            cp->png_ptr->io_ptr = NULL;
4551            (void)fclose(fp);
4552         }
4553      }
4554#  endif
4555
4556   /* Copy the control structure so that the original, allocated, version can be
4557    * safely freed.  Notice that a png_error here stops the remainder of the
4558    * cleanup, but this is probably fine because that would indicate bad memory
4559    * problems anyway.
4560    */
4561   c = *cp;
4562   image->opaque = &c;
4563   png_free(c.png_ptr, cp);
4564
4565   /* Then the structures, calling the correct API. */
4566   if (c.for_write != 0)
4567   {
4568#     ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4569         png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4570#     else
4571         png_error(c.png_ptr, "simplified write not supported");
4572#     endif
4573   }
4574   else
4575   {
4576#     ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4577         png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4578#     else
4579         png_error(c.png_ptr, "simplified read not supported");
4580#     endif
4581   }
4582
4583   /* Success. */
4584   return 1;
4585}
4586
4587void PNGAPI
4588png_image_free(png_imagep image)
4589{
4590   /* Safely call the real function, but only if doing so is safe at this point
4591    * (if not inside an error handling context).  Otherwise assume
4592    * png_safe_execute will call this API after the return.
4593    */
4594   if (image != NULL && image->opaque != NULL &&
4595      image->opaque->error_buf == NULL)
4596   {
4597      /* Ignore errors here: */
4598      (void)png_safe_execute(image, png_image_free_function, image);
4599      image->opaque = NULL;
4600   }
4601}
4602
4603int /* PRIVATE */
4604png_image_error(png_imagep image, png_const_charp error_message)
4605{
4606   /* Utility to log an error. */
4607   png_safecat(image->message, (sizeof image->message), 0, error_message);
4608   image->warning_or_error |= PNG_IMAGE_ERROR;
4609   png_image_free(image);
4610   return 0;
4611}
4612
4613#endif /* SIMPLIFIED READ/WRITE */
4614#endif /* READ || WRITE */