src/third-party/libpng/png.c (view raw)
1
2/* png.c - location for general purpose libpng functions
3 *
4 * Last changed in libpng 1.6.33 [September 28, 2017]
5 * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14#include "pngpriv.h"
15
16/* Generate a compiler error if there is an old png.h in the search path. */
17typedef png_libpng_version_1_6_34 Your_png_h_is_not_version_1_6_34;
18
19#ifdef __GNUC__
20/* The version tests may need to be added to, but the problem warning has
21 * consistently been fixed in GCC versions which obtain wide-spread release.
22 * The problem is that many versions of GCC rearrange comparison expressions in
23 * the optimizer in such a way that the results of the comparison will change
24 * if signed integer overflow occurs. Such comparisons are not permitted in
25 * ANSI C90, however GCC isn't clever enough to work out that that do not occur
26 * below in png_ascii_from_fp and png_muldiv, so it produces a warning with
27 * -Wextra. Unfortunately this is highly dependent on the optimizer and the
28 * machine architecture so the warning comes and goes unpredictably and is
29 * impossible to "fix", even were that a good idea.
30 */
31#if __GNUC__ == 7 && __GNUC_MINOR__ == 1
32#define GCC_STRICT_OVERFLOW 1
33#endif /* GNU 7.1.x */
34#endif /* GNU */
35#ifndef GCC_STRICT_OVERFLOW
36#define GCC_STRICT_OVERFLOW 0
37#endif
38
39/* Tells libpng that we have already handled the first "num_bytes" bytes
40 * of the PNG file signature. If the PNG data is embedded into another
41 * stream we can set num_bytes = 8 so that libpng will not attempt to read
42 * or write any of the magic bytes before it starts on the IHDR.
43 */
44
45#ifdef PNG_READ_SUPPORTED
46void PNGAPI
47png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
48{
49 unsigned int nb = (unsigned int)num_bytes;
50
51 png_debug(1, "in png_set_sig_bytes");
52
53 if (png_ptr == NULL)
54 return;
55
56 if (num_bytes < 0)
57 nb = 0;
58
59 if (nb > 8)
60 png_error(png_ptr, "Too many bytes for PNG signature");
61
62 png_ptr->sig_bytes = (png_byte)nb;
63}
64
65/* Checks whether the supplied bytes match the PNG signature. We allow
66 * checking less than the full 8-byte signature so that those apps that
67 * already read the first few bytes of a file to determine the file type
68 * can simply check the remaining bytes for extra assurance. Returns
69 * an integer less than, equal to, or greater than zero if sig is found,
70 * respectively, to be less than, to match, or be greater than the correct
71 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
72 */
73int PNGAPI
74png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check)
75{
76 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
77
78 if (num_to_check > 8)
79 num_to_check = 8;
80
81 else if (num_to_check < 1)
82 return (-1);
83
84 if (start > 7)
85 return (-1);
86
87 if (start + num_to_check > 8)
88 num_to_check = 8 - start;
89
90 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
91}
92
93#endif /* READ */
94
95#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
96/* Function to allocate memory for zlib */
97PNG_FUNCTION(voidpf /* PRIVATE */,
98png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
99{
100 png_alloc_size_t num_bytes = size;
101
102 if (png_ptr == NULL)
103 return NULL;
104
105 if (items >= (~(png_alloc_size_t)0)/size)
106 {
107 png_warning (png_voidcast(png_structrp, png_ptr),
108 "Potential overflow in png_zalloc()");
109 return NULL;
110 }
111
112 num_bytes *= items;
113 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
114}
115
116/* Function to free memory for zlib */
117void /* PRIVATE */
118png_zfree(voidpf png_ptr, voidpf ptr)
119{
120 png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
121}
122
123/* Reset the CRC variable to 32 bits of 1's. Care must be taken
124 * in case CRC is > 32 bits to leave the top bits 0.
125 */
126void /* PRIVATE */
127png_reset_crc(png_structrp png_ptr)
128{
129 /* The cast is safe because the crc is a 32-bit value. */
130 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
131}
132
133/* Calculate the CRC over a section of data. We can only pass as
134 * much data to this routine as the largest single buffer size. We
135 * also check that this data will actually be used before going to the
136 * trouble of calculating it.
137 */
138void /* PRIVATE */
139png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length)
140{
141 int need_crc = 1;
142
143 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
144 {
145 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
146 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
147 need_crc = 0;
148 }
149
150 else /* critical */
151 {
152 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
153 need_crc = 0;
154 }
155
156 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
157 * systems it is a 64-bit value. crc32, however, returns 32 bits so the
158 * following cast is safe. 'uInt' may be no more than 16 bits, so it is
159 * necessary to perform a loop here.
160 */
161 if (need_crc != 0 && length > 0)
162 {
163 uLong crc = png_ptr->crc; /* Should never issue a warning */
164
165 do
166 {
167 uInt safe_length = (uInt)length;
168#ifndef __COVERITY__
169 if (safe_length == 0)
170 safe_length = (uInt)-1; /* evil, but safe */
171#endif
172
173 crc = crc32(crc, ptr, safe_length);
174
175 /* The following should never issue compiler warnings; if they do the
176 * target system has characteristics that will probably violate other
177 * assumptions within the libpng code.
178 */
179 ptr += safe_length;
180 length -= safe_length;
181 }
182 while (length > 0);
183
184 /* And the following is always safe because the crc is only 32 bits. */
185 png_ptr->crc = (png_uint_32)crc;
186 }
187}
188
189/* Check a user supplied version number, called from both read and write
190 * functions that create a png_struct.
191 */
192int
193png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
194{
195 /* Libpng versions 1.0.0 and later are binary compatible if the version
196 * string matches through the second '.'; we must recompile any
197 * applications that use any older library version.
198 */
199
200 if (user_png_ver != NULL)
201 {
202 int i = -1;
203 int found_dots = 0;
204
205 do
206 {
207 i++;
208 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
209 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
210 if (user_png_ver[i] == '.')
211 found_dots++;
212 } while (found_dots < 2 && user_png_ver[i] != 0 &&
213 PNG_LIBPNG_VER_STRING[i] != 0);
214 }
215
216 else
217 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
218
219 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
220 {
221#ifdef PNG_WARNINGS_SUPPORTED
222 size_t pos = 0;
223 char m[128];
224
225 pos = png_safecat(m, (sizeof m), pos,
226 "Application built with libpng-");
227 pos = png_safecat(m, (sizeof m), pos, user_png_ver);
228 pos = png_safecat(m, (sizeof m), pos, " but running with ");
229 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
230 PNG_UNUSED(pos)
231
232 png_warning(png_ptr, m);
233#endif
234
235#ifdef PNG_ERROR_NUMBERS_SUPPORTED
236 png_ptr->flags = 0;
237#endif
238
239 return 0;
240 }
241
242 /* Success return. */
243 return 1;
244}
245
246/* Generic function to create a png_struct for either read or write - this
247 * contains the common initialization.
248 */
249PNG_FUNCTION(png_structp /* PRIVATE */,
250png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
251 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
252 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
253{
254 png_struct create_struct;
255# ifdef PNG_SETJMP_SUPPORTED
256 jmp_buf create_jmp_buf;
257# endif
258
259 /* This temporary stack-allocated structure is used to provide a place to
260 * build enough context to allow the user provided memory allocator (if any)
261 * to be called.
262 */
263 memset(&create_struct, 0, (sizeof create_struct));
264
265 /* Added at libpng-1.2.6 */
266# ifdef PNG_USER_LIMITS_SUPPORTED
267 create_struct.user_width_max = PNG_USER_WIDTH_MAX;
268 create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
269
270# ifdef PNG_USER_CHUNK_CACHE_MAX
271 /* Added at libpng-1.2.43 and 1.4.0 */
272 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
273# endif
274
275# ifdef PNG_USER_CHUNK_MALLOC_MAX
276 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
277 * in png_struct regardless.
278 */
279 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
280# endif
281# endif
282
283 /* The following two API calls simply set fields in png_struct, so it is safe
284 * to do them now even though error handling is not yet set up.
285 */
286# ifdef PNG_USER_MEM_SUPPORTED
287 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
288# else
289 PNG_UNUSED(mem_ptr)
290 PNG_UNUSED(malloc_fn)
291 PNG_UNUSED(free_fn)
292# endif
293
294 /* (*error_fn) can return control to the caller after the error_ptr is set,
295 * this will result in a memory leak unless the error_fn does something
296 * extremely sophisticated. The design lacks merit but is implicit in the
297 * API.
298 */
299 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
300
301# ifdef PNG_SETJMP_SUPPORTED
302 if (!setjmp(create_jmp_buf))
303# endif
304 {
305# ifdef PNG_SETJMP_SUPPORTED
306 /* Temporarily fake out the longjmp information until we have
307 * successfully completed this function. This only works if we have
308 * setjmp() support compiled in, but it is safe - this stuff should
309 * never happen.
310 */
311 create_struct.jmp_buf_ptr = &create_jmp_buf;
312 create_struct.jmp_buf_size = 0; /*stack allocation*/
313 create_struct.longjmp_fn = longjmp;
314# endif
315 /* Call the general version checker (shared with read and write code):
316 */
317 if (png_user_version_check(&create_struct, user_png_ver) != 0)
318 {
319 png_structrp png_ptr = png_voidcast(png_structrp,
320 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
321
322 if (png_ptr != NULL)
323 {
324 /* png_ptr->zstream holds a back-pointer to the png_struct, so
325 * this can only be done now:
326 */
327 create_struct.zstream.zalloc = png_zalloc;
328 create_struct.zstream.zfree = png_zfree;
329 create_struct.zstream.opaque = png_ptr;
330
331# ifdef PNG_SETJMP_SUPPORTED
332 /* Eliminate the local error handling: */
333 create_struct.jmp_buf_ptr = NULL;
334 create_struct.jmp_buf_size = 0;
335 create_struct.longjmp_fn = 0;
336# endif
337
338 *png_ptr = create_struct;
339
340 /* This is the successful return point */
341 return png_ptr;
342 }
343 }
344 }
345
346 /* A longjmp because of a bug in the application storage allocator or a
347 * simple failure to allocate the png_struct.
348 */
349 return NULL;
350}
351
352/* Allocate the memory for an info_struct for the application. */
353PNG_FUNCTION(png_infop,PNGAPI
354png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
355{
356 png_inforp info_ptr;
357
358 png_debug(1, "in png_create_info_struct");
359
360 if (png_ptr == NULL)
361 return NULL;
362
363 /* Use the internal API that does not (or at least should not) error out, so
364 * that this call always returns ok. The application typically sets up the
365 * error handling *after* creating the info_struct because this is the way it
366 * has always been done in 'example.c'.
367 */
368 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
369 (sizeof *info_ptr)));
370
371 if (info_ptr != NULL)
372 memset(info_ptr, 0, (sizeof *info_ptr));
373
374 return info_ptr;
375}
376
377/* This function frees the memory associated with a single info struct.
378 * Normally, one would use either png_destroy_read_struct() or
379 * png_destroy_write_struct() to free an info struct, but this may be
380 * useful for some applications. From libpng 1.6.0 this function is also used
381 * internally to implement the png_info release part of the 'struct' destroy
382 * APIs. This ensures that all possible approaches free the same data (all of
383 * it).
384 */
385void PNGAPI
386png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
387{
388 png_inforp info_ptr = NULL;
389
390 png_debug(1, "in png_destroy_info_struct");
391
392 if (png_ptr == NULL)
393 return;
394
395 if (info_ptr_ptr != NULL)
396 info_ptr = *info_ptr_ptr;
397
398 if (info_ptr != NULL)
399 {
400 /* Do this first in case of an error below; if the app implements its own
401 * memory management this can lead to png_free calling png_error, which
402 * will abort this routine and return control to the app error handler.
403 * An infinite loop may result if it then tries to free the same info
404 * ptr.
405 */
406 *info_ptr_ptr = NULL;
407
408 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
409 memset(info_ptr, 0, (sizeof *info_ptr));
410 png_free(png_ptr, info_ptr);
411 }
412}
413
414/* Initialize the info structure. This is now an internal function (0.89)
415 * and applications using it are urged to use png_create_info_struct()
416 * instead. Use deprecated in 1.6.0, internal use removed (used internally it
417 * is just a memset).
418 *
419 * NOTE: it is almost inconceivable that this API is used because it bypasses
420 * the user-memory mechanism and the user error handling/warning mechanisms in
421 * those cases where it does anything other than a memset.
422 */
423PNG_FUNCTION(void,PNGAPI
424png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size),
425 PNG_DEPRECATED)
426{
427 png_inforp info_ptr = *ptr_ptr;
428
429 png_debug(1, "in png_info_init_3");
430
431 if (info_ptr == NULL)
432 return;
433
434 if ((sizeof (png_info)) > png_info_struct_size)
435 {
436 *ptr_ptr = NULL;
437 /* The following line is why this API should not be used: */
438 free(info_ptr);
439 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
440 (sizeof *info_ptr)));
441 if (info_ptr == NULL)
442 return;
443 *ptr_ptr = info_ptr;
444 }
445
446 /* Set everything to 0 */
447 memset(info_ptr, 0, (sizeof *info_ptr));
448}
449
450/* The following API is not called internally */
451void PNGAPI
452png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
453 int freer, png_uint_32 mask)
454{
455 png_debug(1, "in png_data_freer");
456
457 if (png_ptr == NULL || info_ptr == NULL)
458 return;
459
460 if (freer == PNG_DESTROY_WILL_FREE_DATA)
461 info_ptr->free_me |= mask;
462
463 else if (freer == PNG_USER_WILL_FREE_DATA)
464 info_ptr->free_me &= ~mask;
465
466 else
467 png_error(png_ptr, "Unknown freer parameter in png_data_freer");
468}
469
470void PNGAPI
471png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
472 int num)
473{
474 png_debug(1, "in png_free_data");
475
476 if (png_ptr == NULL || info_ptr == NULL)
477 return;
478
479#ifdef PNG_TEXT_SUPPORTED
480 /* Free text item num or (if num == -1) all text items */
481 if (info_ptr->text != NULL &&
482 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
483 {
484 if (num != -1)
485 {
486 png_free(png_ptr, info_ptr->text[num].key);
487 info_ptr->text[num].key = NULL;
488 }
489
490 else
491 {
492 int i;
493
494 for (i = 0; i < info_ptr->num_text; i++)
495 png_free(png_ptr, info_ptr->text[i].key);
496
497 png_free(png_ptr, info_ptr->text);
498 info_ptr->text = NULL;
499 info_ptr->num_text = 0;
500 info_ptr->max_text = 0;
501 }
502 }
503#endif
504
505#ifdef PNG_tRNS_SUPPORTED
506 /* Free any tRNS entry */
507 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
508 {
509 info_ptr->valid &= ~PNG_INFO_tRNS;
510 png_free(png_ptr, info_ptr->trans_alpha);
511 info_ptr->trans_alpha = NULL;
512 info_ptr->num_trans = 0;
513 }
514#endif
515
516#ifdef PNG_sCAL_SUPPORTED
517 /* Free any sCAL entry */
518 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
519 {
520 png_free(png_ptr, info_ptr->scal_s_width);
521 png_free(png_ptr, info_ptr->scal_s_height);
522 info_ptr->scal_s_width = NULL;
523 info_ptr->scal_s_height = NULL;
524 info_ptr->valid &= ~PNG_INFO_sCAL;
525 }
526#endif
527
528#ifdef PNG_pCAL_SUPPORTED
529 /* Free any pCAL entry */
530 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
531 {
532 png_free(png_ptr, info_ptr->pcal_purpose);
533 png_free(png_ptr, info_ptr->pcal_units);
534 info_ptr->pcal_purpose = NULL;
535 info_ptr->pcal_units = NULL;
536
537 if (info_ptr->pcal_params != NULL)
538 {
539 int i;
540
541 for (i = 0; i < info_ptr->pcal_nparams; i++)
542 png_free(png_ptr, info_ptr->pcal_params[i]);
543
544 png_free(png_ptr, info_ptr->pcal_params);
545 info_ptr->pcal_params = NULL;
546 }
547 info_ptr->valid &= ~PNG_INFO_pCAL;
548 }
549#endif
550
551#ifdef PNG_iCCP_SUPPORTED
552 /* Free any profile entry */
553 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
554 {
555 png_free(png_ptr, info_ptr->iccp_name);
556 png_free(png_ptr, info_ptr->iccp_profile);
557 info_ptr->iccp_name = NULL;
558 info_ptr->iccp_profile = NULL;
559 info_ptr->valid &= ~PNG_INFO_iCCP;
560 }
561#endif
562
563#ifdef PNG_sPLT_SUPPORTED
564 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
565 if (info_ptr->splt_palettes != NULL &&
566 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
567 {
568 if (num != -1)
569 {
570 png_free(png_ptr, info_ptr->splt_palettes[num].name);
571 png_free(png_ptr, info_ptr->splt_palettes[num].entries);
572 info_ptr->splt_palettes[num].name = NULL;
573 info_ptr->splt_palettes[num].entries = NULL;
574 }
575
576 else
577 {
578 int i;
579
580 for (i = 0; i < info_ptr->splt_palettes_num; i++)
581 {
582 png_free(png_ptr, info_ptr->splt_palettes[i].name);
583 png_free(png_ptr, info_ptr->splt_palettes[i].entries);
584 }
585
586 png_free(png_ptr, info_ptr->splt_palettes);
587 info_ptr->splt_palettes = NULL;
588 info_ptr->splt_palettes_num = 0;
589 info_ptr->valid &= ~PNG_INFO_sPLT;
590 }
591 }
592#endif
593
594#ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
595 if (info_ptr->unknown_chunks != NULL &&
596 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
597 {
598 if (num != -1)
599 {
600 png_free(png_ptr, info_ptr->unknown_chunks[num].data);
601 info_ptr->unknown_chunks[num].data = NULL;
602 }
603
604 else
605 {
606 int i;
607
608 for (i = 0; i < info_ptr->unknown_chunks_num; i++)
609 png_free(png_ptr, info_ptr->unknown_chunks[i].data);
610
611 png_free(png_ptr, info_ptr->unknown_chunks);
612 info_ptr->unknown_chunks = NULL;
613 info_ptr->unknown_chunks_num = 0;
614 }
615 }
616#endif
617
618#ifdef PNG_eXIf_SUPPORTED
619 /* Free any eXIf entry */
620 if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
621 {
622# ifdef PNG_READ_eXIf_SUPPORTED
623 if (info_ptr->eXIf_buf)
624 {
625 png_free(png_ptr, info_ptr->eXIf_buf);
626 info_ptr->eXIf_buf = NULL;
627 }
628# endif
629 if (info_ptr->exif)
630 {
631 png_free(png_ptr, info_ptr->exif);
632 info_ptr->exif = NULL;
633 }
634 info_ptr->valid &= ~PNG_INFO_eXIf;
635 }
636#endif
637
638#ifdef PNG_hIST_SUPPORTED
639 /* Free any hIST entry */
640 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
641 {
642 png_free(png_ptr, info_ptr->hist);
643 info_ptr->hist = NULL;
644 info_ptr->valid &= ~PNG_INFO_hIST;
645 }
646#endif
647
648 /* Free any PLTE entry that was internally allocated */
649 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
650 {
651 png_free(png_ptr, info_ptr->palette);
652 info_ptr->palette = NULL;
653 info_ptr->valid &= ~PNG_INFO_PLTE;
654 info_ptr->num_palette = 0;
655 }
656
657#ifdef PNG_INFO_IMAGE_SUPPORTED
658 /* Free any image bits attached to the info structure */
659 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
660 {
661 if (info_ptr->row_pointers != NULL)
662 {
663 png_uint_32 row;
664 for (row = 0; row < info_ptr->height; row++)
665 png_free(png_ptr, info_ptr->row_pointers[row]);
666
667 png_free(png_ptr, info_ptr->row_pointers);
668 info_ptr->row_pointers = NULL;
669 }
670 info_ptr->valid &= ~PNG_INFO_IDAT;
671 }
672#endif
673
674 if (num != -1)
675 mask &= ~PNG_FREE_MUL;
676
677 info_ptr->free_me &= ~mask;
678}
679#endif /* READ || WRITE */
680
681/* This function returns a pointer to the io_ptr associated with the user
682 * functions. The application should free any memory associated with this
683 * pointer before png_write_destroy() or png_read_destroy() are called.
684 */
685png_voidp PNGAPI
686png_get_io_ptr(png_const_structrp png_ptr)
687{
688 if (png_ptr == NULL)
689 return (NULL);
690
691 return (png_ptr->io_ptr);
692}
693
694#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
695# ifdef PNG_STDIO_SUPPORTED
696/* Initialize the default input/output functions for the PNG file. If you
697 * use your own read or write routines, you can call either png_set_read_fn()
698 * or png_set_write_fn() instead of png_init_io(). If you have defined
699 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
700 * function of your own because "FILE *" isn't necessarily available.
701 */
702void PNGAPI
703png_init_io(png_structrp png_ptr, png_FILE_p fp)
704{
705 png_debug(1, "in png_init_io");
706
707 if (png_ptr == NULL)
708 return;
709
710 png_ptr->io_ptr = (png_voidp)fp;
711}
712# endif
713
714# ifdef PNG_SAVE_INT_32_SUPPORTED
715/* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90
716 * defines a cast of a signed integer to an unsigned integer either to preserve
717 * the value, if it is positive, or to calculate:
718 *
719 * (UNSIGNED_MAX+1) + integer
720 *
721 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
722 * negative integral value is added the result will be an unsigned value
723 * correspnding to the 2's complement representation.
724 */
725void PNGAPI
726png_save_int_32(png_bytep buf, png_int_32 i)
727{
728 png_save_uint_32(buf, (png_uint_32)i);
729}
730# endif
731
732# ifdef PNG_TIME_RFC1123_SUPPORTED
733/* Convert the supplied time into an RFC 1123 string suitable for use in
734 * a "Creation Time" or other text-based time string.
735 */
736int PNGAPI
737png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
738{
739 static PNG_CONST char short_months[12][4] =
740 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
741 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
742
743 if (out == NULL)
744 return 0;
745
746 if (ptime->year > 9999 /* RFC1123 limitation */ ||
747 ptime->month == 0 || ptime->month > 12 ||
748 ptime->day == 0 || ptime->day > 31 ||
749 ptime->hour > 23 || ptime->minute > 59 ||
750 ptime->second > 60)
751 return 0;
752
753 {
754 size_t pos = 0;
755 char number_buf[5]; /* enough for a four-digit year */
756
757# define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
758# define APPEND_NUMBER(format, value)\
759 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
760# define APPEND(ch) if (pos < 28) out[pos++] = (ch)
761
762 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
763 APPEND(' ');
764 APPEND_STRING(short_months[(ptime->month - 1)]);
765 APPEND(' ');
766 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
767 APPEND(' ');
768 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
769 APPEND(':');
770 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
771 APPEND(':');
772 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
773 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
774 PNG_UNUSED (pos)
775
776# undef APPEND
777# undef APPEND_NUMBER
778# undef APPEND_STRING
779 }
780
781 return 1;
782}
783
784# if PNG_LIBPNG_VER < 10700
785/* To do: remove the following from libpng-1.7 */
786/* Original API that uses a private buffer in png_struct.
787 * Deprecated because it causes png_struct to carry a spurious temporary
788 * buffer (png_struct::time_buffer), better to have the caller pass this in.
789 */
790png_const_charp PNGAPI
791png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
792{
793 if (png_ptr != NULL)
794 {
795 /* The only failure above if png_ptr != NULL is from an invalid ptime */
796 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
797 png_warning(png_ptr, "Ignoring invalid time value");
798
799 else
800 return png_ptr->time_buffer;
801 }
802
803 return NULL;
804}
805# endif /* LIBPNG_VER < 10700 */
806# endif /* TIME_RFC1123 */
807
808#endif /* READ || WRITE */
809
810png_const_charp PNGAPI
811png_get_copyright(png_const_structrp png_ptr)
812{
813 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
814#ifdef PNG_STRING_COPYRIGHT
815 return PNG_STRING_COPYRIGHT
816#else
817# ifdef __STDC__
818 return PNG_STRING_NEWLINE \
819 "libpng version 1.6.34 - September 29, 2017" PNG_STRING_NEWLINE \
820 "Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson" \
821 PNG_STRING_NEWLINE \
822 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
823 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
824 PNG_STRING_NEWLINE;
825# else
826 return "libpng version 1.6.34 - September 29, 2017\
827 Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson\
828 Copyright (c) 1996-1997 Andreas Dilger\
829 Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
830# endif
831#endif
832}
833
834/* The following return the library version as a short string in the
835 * format 1.0.0 through 99.99.99zz. To get the version of *.h files
836 * used with your application, print out PNG_LIBPNG_VER_STRING, which
837 * is defined in png.h.
838 * Note: now there is no difference between png_get_libpng_ver() and
839 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
840 * it is guaranteed that png.c uses the correct version of png.h.
841 */
842png_const_charp PNGAPI
843png_get_libpng_ver(png_const_structrp png_ptr)
844{
845 /* Version of *.c files used when building libpng */
846 return png_get_header_ver(png_ptr);
847}
848
849png_const_charp PNGAPI
850png_get_header_ver(png_const_structrp png_ptr)
851{
852 /* Version of *.h files used when building libpng */
853 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
854 return PNG_LIBPNG_VER_STRING;
855}
856
857png_const_charp PNGAPI
858png_get_header_version(png_const_structrp png_ptr)
859{
860 /* Returns longer string containing both version and date */
861 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
862#ifdef __STDC__
863 return PNG_HEADER_VERSION_STRING
864# ifndef PNG_READ_SUPPORTED
865 " (NO READ SUPPORT)"
866# endif
867 PNG_STRING_NEWLINE;
868#else
869 return PNG_HEADER_VERSION_STRING;
870#endif
871}
872
873#ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
874/* NOTE: this routine is not used internally! */
875/* Build a grayscale palette. Palette is assumed to be 1 << bit_depth
876 * large of png_color. This lets grayscale images be treated as
877 * paletted. Most useful for gamma correction and simplification
878 * of code. This API is not used internally.
879 */
880void PNGAPI
881png_build_grayscale_palette(int bit_depth, png_colorp palette)
882{
883 int num_palette;
884 int color_inc;
885 int i;
886 int v;
887
888 png_debug(1, "in png_do_build_grayscale_palette");
889
890 if (palette == NULL)
891 return;
892
893 switch (bit_depth)
894 {
895 case 1:
896 num_palette = 2;
897 color_inc = 0xff;
898 break;
899
900 case 2:
901 num_palette = 4;
902 color_inc = 0x55;
903 break;
904
905 case 4:
906 num_palette = 16;
907 color_inc = 0x11;
908 break;
909
910 case 8:
911 num_palette = 256;
912 color_inc = 1;
913 break;
914
915 default:
916 num_palette = 0;
917 color_inc = 0;
918 break;
919 }
920
921 for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
922 {
923 palette[i].red = (png_byte)(v & 0xff);
924 palette[i].green = (png_byte)(v & 0xff);
925 palette[i].blue = (png_byte)(v & 0xff);
926 }
927}
928#endif
929
930#ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
931int PNGAPI
932png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
933{
934 /* Check chunk_name and return "keep" value if it's on the list, else 0 */
935 png_const_bytep p, p_end;
936
937 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
938 return PNG_HANDLE_CHUNK_AS_DEFAULT;
939
940 p_end = png_ptr->chunk_list;
941 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
942
943 /* The code is the fifth byte after each four byte string. Historically this
944 * code was always searched from the end of the list, this is no longer
945 * necessary because the 'set' routine handles duplicate entries correcty.
946 */
947 do /* num_chunk_list > 0, so at least one */
948 {
949 p -= 5;
950
951 if (memcmp(chunk_name, p, 4) == 0)
952 return p[4];
953 }
954 while (p > p_end);
955
956 /* This means that known chunks should be processed and unknown chunks should
957 * be handled according to the value of png_ptr->unknown_default; this can be
958 * confusing because, as a result, there are two levels of defaulting for
959 * unknown chunks.
960 */
961 return PNG_HANDLE_CHUNK_AS_DEFAULT;
962}
963
964#if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
965 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
966int /* PRIVATE */
967png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
968{
969 png_byte chunk_string[5];
970
971 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
972 return png_handle_as_unknown(png_ptr, chunk_string);
973}
974#endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
975#endif /* SET_UNKNOWN_CHUNKS */
976
977#ifdef PNG_READ_SUPPORTED
978/* This function, added to libpng-1.0.6g, is untested. */
979int PNGAPI
980png_reset_zstream(png_structrp png_ptr)
981{
982 if (png_ptr == NULL)
983 return Z_STREAM_ERROR;
984
985 /* WARNING: this resets the window bits to the maximum! */
986 return (inflateReset(&png_ptr->zstream));
987}
988#endif /* READ */
989
990/* This function was added to libpng-1.0.7 */
991png_uint_32 PNGAPI
992png_access_version_number(void)
993{
994 /* Version of *.c files used when building libpng */
995 return((png_uint_32)PNG_LIBPNG_VER);
996}
997
998#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
999/* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
1000 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
1001 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
1002 */
1003void /* PRIVATE */
1004png_zstream_error(png_structrp png_ptr, int ret)
1005{
1006 /* Translate 'ret' into an appropriate error string, priority is given to the
1007 * one in zstream if set. This always returns a string, even in cases like
1008 * Z_OK or Z_STREAM_END where the error code is a success code.
1009 */
1010 if (png_ptr->zstream.msg == NULL) switch (ret)
1011 {
1012 default:
1013 case Z_OK:
1014 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
1015 break;
1016
1017 case Z_STREAM_END:
1018 /* Normal exit */
1019 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
1020 break;
1021
1022 case Z_NEED_DICT:
1023 /* This means the deflate stream did not have a dictionary; this
1024 * indicates a bogus PNG.
1025 */
1026 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1027 break;
1028
1029 case Z_ERRNO:
1030 /* gz APIs only: should not happen */
1031 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1032 break;
1033
1034 case Z_STREAM_ERROR:
1035 /* internal libpng error */
1036 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1037 break;
1038
1039 case Z_DATA_ERROR:
1040 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1041 break;
1042
1043 case Z_MEM_ERROR:
1044 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1045 break;
1046
1047 case Z_BUF_ERROR:
1048 /* End of input or output; not a problem if the caller is doing
1049 * incremental read or write.
1050 */
1051 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1052 break;
1053
1054 case Z_VERSION_ERROR:
1055 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1056 break;
1057
1058 case PNG_UNEXPECTED_ZLIB_RETURN:
1059 /* Compile errors here mean that zlib now uses the value co-opted in
1060 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1061 * and change pngpriv.h. Note that this message is "... return",
1062 * whereas the default/Z_OK one is "... return code".
1063 */
1064 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1065 break;
1066 }
1067}
1068
1069/* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1070 * at libpng 1.5.5!
1071 */
1072
1073/* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1074#ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1075static int
1076png_colorspace_check_gamma(png_const_structrp png_ptr,
1077 png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1078 /* This is called to check a new gamma value against an existing one. The
1079 * routine returns false if the new gamma value should not be written.
1080 *
1081 * 'from' says where the new gamma value comes from:
1082 *
1083 * 0: the new gamma value is the libpng estimate for an ICC profile
1084 * 1: the new gamma value comes from a gAMA chunk
1085 * 2: the new gamma value comes from an sRGB chunk
1086 */
1087{
1088 png_fixed_point gtest;
1089
1090 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1091 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 ||
1092 png_gamma_significant(gtest) != 0))
1093 {
1094 /* Either this is an sRGB image, in which case the calculated gamma
1095 * approximation should match, or this is an image with a profile and the
1096 * value libpng calculates for the gamma of the profile does not match the
1097 * value recorded in the file. The former, sRGB, case is an error, the
1098 * latter is just a warning.
1099 */
1100 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1101 {
1102 png_chunk_report(png_ptr, "gamma value does not match sRGB",
1103 PNG_CHUNK_ERROR);
1104 /* Do not overwrite an sRGB value */
1105 return from == 2;
1106 }
1107
1108 else /* sRGB tag not involved */
1109 {
1110 png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1111 PNG_CHUNK_WARNING);
1112 return from == 1;
1113 }
1114 }
1115
1116 return 1;
1117}
1118
1119void /* PRIVATE */
1120png_colorspace_set_gamma(png_const_structrp png_ptr,
1121 png_colorspacerp colorspace, png_fixed_point gAMA)
1122{
1123 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1124 * occur. Since the fixed point representation is asymetrical it is
1125 * possible for 1/gamma to overflow the limit of 21474 and this means the
1126 * gamma value must be at least 5/100000 and hence at most 20000.0. For
1127 * safety the limits here are a little narrower. The values are 0.00016 to
1128 * 6250.0, which are truly ridiculous gamma values (and will produce
1129 * displays that are all black or all white.)
1130 *
1131 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1132 * handling code, which only required the value to be >0.
1133 */
1134 png_const_charp errmsg;
1135
1136 if (gAMA < 16 || gAMA > 625000000)
1137 errmsg = "gamma value out of range";
1138
1139# ifdef PNG_READ_gAMA_SUPPORTED
1140 /* Allow the application to set the gamma value more than once */
1141 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1142 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1143 errmsg = "duplicate";
1144# endif
1145
1146 /* Do nothing if the colorspace is already invalid */
1147 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1148 return;
1149
1150 else
1151 {
1152 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1153 1/*from gAMA*/) != 0)
1154 {
1155 /* Store this gamma value. */
1156 colorspace->gamma = gAMA;
1157 colorspace->flags |=
1158 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1159 }
1160
1161 /* At present if the check_gamma test fails the gamma of the colorspace is
1162 * not updated however the colorspace is not invalidated. This
1163 * corresponds to the case where the existing gamma comes from an sRGB
1164 * chunk or profile. An error message has already been output.
1165 */
1166 return;
1167 }
1168
1169 /* Error exit - errmsg has been set. */
1170 colorspace->flags |= PNG_COLORSPACE_INVALID;
1171 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1172}
1173
1174void /* PRIVATE */
1175png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1176{
1177 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1178 {
1179 /* Everything is invalid */
1180 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1181 PNG_INFO_iCCP);
1182
1183# ifdef PNG_COLORSPACE_SUPPORTED
1184 /* Clean up the iCCP profile now if it won't be used. */
1185 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1186# else
1187 PNG_UNUSED(png_ptr)
1188# endif
1189 }
1190
1191 else
1192 {
1193# ifdef PNG_COLORSPACE_SUPPORTED
1194 /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1195 * it; this allows a PNG to contain a profile which matches sRGB and
1196 * yet still have that profile retrievable by the application.
1197 */
1198 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1199 info_ptr->valid |= PNG_INFO_sRGB;
1200
1201 else
1202 info_ptr->valid &= ~PNG_INFO_sRGB;
1203
1204 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1205 info_ptr->valid |= PNG_INFO_cHRM;
1206
1207 else
1208 info_ptr->valid &= ~PNG_INFO_cHRM;
1209# endif
1210
1211 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1212 info_ptr->valid |= PNG_INFO_gAMA;
1213
1214 else
1215 info_ptr->valid &= ~PNG_INFO_gAMA;
1216 }
1217}
1218
1219#ifdef PNG_READ_SUPPORTED
1220void /* PRIVATE */
1221png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1222{
1223 if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1224 return;
1225
1226 info_ptr->colorspace = png_ptr->colorspace;
1227 png_colorspace_sync_info(png_ptr, info_ptr);
1228}
1229#endif
1230#endif /* GAMMA */
1231
1232#ifdef PNG_COLORSPACE_SUPPORTED
1233/* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1234 * cHRM, as opposed to using chromaticities. These internal APIs return
1235 * non-zero on a parameter error. The X, Y and Z values are required to be
1236 * positive and less than 1.0.
1237 */
1238static int
1239png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1240{
1241 png_int_32 d, dwhite, whiteX, whiteY;
1242
1243 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1244 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1245 return 1;
1246 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1247 return 1;
1248 dwhite = d;
1249 whiteX = XYZ->red_X;
1250 whiteY = XYZ->red_Y;
1251
1252 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1253 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1254 return 1;
1255 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1256 return 1;
1257 dwhite += d;
1258 whiteX += XYZ->green_X;
1259 whiteY += XYZ->green_Y;
1260
1261 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1262 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1263 return 1;
1264 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1265 return 1;
1266 dwhite += d;
1267 whiteX += XYZ->blue_X;
1268 whiteY += XYZ->blue_Y;
1269
1270 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1271 * thus:
1272 */
1273 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1274 return 1;
1275 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1276 return 1;
1277
1278 return 0;
1279}
1280
1281static int
1282png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1283{
1284 png_fixed_point red_inverse, green_inverse, blue_scale;
1285 png_fixed_point left, right, denominator;
1286
1287 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically
1288 * have end points with 0 tristimulus values (these are impossible end
1289 * points, but they are used to cover the possible colors). We check
1290 * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1291 */
1292 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;
1293 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1294 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1295 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1296 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;
1297 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1298 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1299 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1300
1301 /* The reverse calculation is more difficult because the original tristimulus
1302 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1303 * derived values were recorded in the cHRM chunk;
1304 * (red,green,blue,white)x(x,y). This loses one degree of freedom and
1305 * therefore an arbitrary ninth value has to be introduced to undo the
1306 * original transformations.
1307 *
1308 * Think of the original end-points as points in (X,Y,Z) space. The
1309 * chromaticity values (c) have the property:
1310 *
1311 * C
1312 * c = ---------
1313 * X + Y + Z
1314 *
1315 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1316 * three chromaticity values (x,y,z) for each end-point obey the
1317 * relationship:
1318 *
1319 * x + y + z = 1
1320 *
1321 * This describes the plane in (X,Y,Z) space that intersects each axis at the
1322 * value 1.0; call this the chromaticity plane. Thus the chromaticity
1323 * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1324 * and chromaticity is the intersection of the vector from the origin to the
1325 * (X,Y,Z) value with the chromaticity plane.
1326 *
1327 * To fully invert the chromaticity calculation we would need the three
1328 * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1329 * were not recorded. Instead we calculated the reference white (X,Y,Z) and
1330 * recorded the chromaticity of this. The reference white (X,Y,Z) would have
1331 * given all three of the scale factors since:
1332 *
1333 * color-C = color-c * color-scale
1334 * white-C = red-C + green-C + blue-C
1335 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1336 *
1337 * But cHRM records only white-x and white-y, so we have lost the white scale
1338 * factor:
1339 *
1340 * white-C = white-c*white-scale
1341 *
1342 * To handle this the inverse transformation makes an arbitrary assumption
1343 * about white-scale:
1344 *
1345 * Assume: white-Y = 1.0
1346 * Hence: white-scale = 1/white-y
1347 * Or: red-Y + green-Y + blue-Y = 1.0
1348 *
1349 * Notice the last statement of the assumption gives an equation in three of
1350 * the nine values we want to calculate. 8 more equations come from the
1351 * above routine as summarised at the top above (the chromaticity
1352 * calculation):
1353 *
1354 * Given: color-x = color-X / (color-X + color-Y + color-Z)
1355 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1356 *
1357 * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1358 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1359 * determinants, however this is not as bad as it seems because only 28 of
1360 * the total of 90 terms in the various matrices are non-zero. Nevertheless
1361 * Cramer's rule is notoriously numerically unstable because the determinant
1362 * calculation involves the difference of large, but similar, numbers. It is
1363 * difficult to be sure that the calculation is stable for real world values
1364 * and it is certain that it becomes unstable where the end points are close
1365 * together.
1366 *
1367 * So this code uses the perhaps slightly less optimal but more
1368 * understandable and totally obvious approach of calculating color-scale.
1369 *
1370 * This algorithm depends on the precision in white-scale and that is
1371 * (1/white-y), so we can immediately see that as white-y approaches 0 the
1372 * accuracy inherent in the cHRM chunk drops off substantially.
1373 *
1374 * libpng arithmetic: a simple inversion of the above equations
1375 * ------------------------------------------------------------
1376 *
1377 * white_scale = 1/white-y
1378 * white-X = white-x * white-scale
1379 * white-Y = 1.0
1380 * white-Z = (1 - white-x - white-y) * white_scale
1381 *
1382 * white-C = red-C + green-C + blue-C
1383 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1384 *
1385 * This gives us three equations in (red-scale,green-scale,blue-scale) where
1386 * all the coefficients are now known:
1387 *
1388 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1389 * = white-x/white-y
1390 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1391 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1392 * = (1 - white-x - white-y)/white-y
1393 *
1394 * In the last equation color-z is (1 - color-x - color-y) so we can add all
1395 * three equations together to get an alternative third:
1396 *
1397 * red-scale + green-scale + blue-scale = 1/white-y = white-scale
1398 *
1399 * So now we have a Cramer's rule solution where the determinants are just
1400 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1401 * multiplication of three coefficients so we can't guarantee to avoid
1402 * overflow in the libpng fixed point representation. Using Cramer's rule in
1403 * floating point is probably a good choice here, but it's not an option for
1404 * fixed point. Instead proceed to simplify the first two equations by
1405 * eliminating what is likely to be the largest value, blue-scale:
1406 *
1407 * blue-scale = white-scale - red-scale - green-scale
1408 *
1409 * Hence:
1410 *
1411 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1412 * (white-x - blue-x)*white-scale
1413 *
1414 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1415 * 1 - blue-y*white-scale
1416 *
1417 * And now we can trivially solve for (red-scale,green-scale):
1418 *
1419 * green-scale =
1420 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1421 * -----------------------------------------------------------
1422 * green-x - blue-x
1423 *
1424 * red-scale =
1425 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1426 * ---------------------------------------------------------
1427 * red-y - blue-y
1428 *
1429 * Hence:
1430 *
1431 * red-scale =
1432 * ( (green-x - blue-x) * (white-y - blue-y) -
1433 * (green-y - blue-y) * (white-x - blue-x) ) / white-y
1434 * -------------------------------------------------------------------------
1435 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1436 *
1437 * green-scale =
1438 * ( (red-y - blue-y) * (white-x - blue-x) -
1439 * (red-x - blue-x) * (white-y - blue-y) ) / white-y
1440 * -------------------------------------------------------------------------
1441 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1442 *
1443 * Accuracy:
1444 * The input values have 5 decimal digits of accuracy. The values are all in
1445 * the range 0 < value < 1, so simple products are in the same range but may
1446 * need up to 10 decimal digits to preserve the original precision and avoid
1447 * underflow. Because we are using a 32-bit signed representation we cannot
1448 * match this; the best is a little over 9 decimal digits, less than 10.
1449 *
1450 * The approach used here is to preserve the maximum precision within the
1451 * signed representation. Because the red-scale calculation above uses the
1452 * difference between two products of values that must be in the range -1..+1
1453 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The
1454 * factor is irrelevant in the calculation because it is applied to both
1455 * numerator and denominator.
1456 *
1457 * Note that the values of the differences of the products of the
1458 * chromaticities in the above equations tend to be small, for example for
1459 * the sRGB chromaticities they are:
1460 *
1461 * red numerator: -0.04751
1462 * green numerator: -0.08788
1463 * denominator: -0.2241 (without white-y multiplication)
1464 *
1465 * The resultant Y coefficients from the chromaticities of some widely used
1466 * color space definitions are (to 15 decimal places):
1467 *
1468 * sRGB
1469 * 0.212639005871510 0.715168678767756 0.072192315360734
1470 * Kodak ProPhoto
1471 * 0.288071128229293 0.711843217810102 0.000085653960605
1472 * Adobe RGB
1473 * 0.297344975250536 0.627363566255466 0.075291458493998
1474 * Adobe Wide Gamut RGB
1475 * 0.258728243040113 0.724682314948566 0.016589442011321
1476 */
1477 /* By the argument, above overflow should be impossible here. The return
1478 * value of 2 indicates an internal error to the caller.
1479 */
1480 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1481 return 2;
1482 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1483 return 2;
1484 denominator = left - right;
1485
1486 /* Now find the red numerator. */
1487 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1488 return 2;
1489 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1490 return 2;
1491
1492 /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1493 * chunk values. This calculation actually returns the reciprocal of the
1494 * scale value because this allows us to delay the multiplication of white-y
1495 * into the denominator, which tends to produce a small number.
1496 */
1497 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1498 red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1499 return 1;
1500
1501 /* Similarly for green_inverse: */
1502 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1503 return 2;
1504 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1505 return 2;
1506 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1507 green_inverse <= xy->whitey)
1508 return 1;
1509
1510 /* And the blue scale, the checks above guarantee this can't overflow but it
1511 * can still produce 0 for extreme cHRM values.
1512 */
1513 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1514 png_reciprocal(green_inverse);
1515 if (blue_scale <= 0)
1516 return 1;
1517
1518
1519 /* And fill in the png_XYZ: */
1520 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1521 return 1;
1522 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1523 return 1;
1524 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1525 red_inverse) == 0)
1526 return 1;
1527
1528 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1529 return 1;
1530 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1531 return 1;
1532 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1533 green_inverse) == 0)
1534 return 1;
1535
1536 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1537 return 1;
1538 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1539 return 1;
1540 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1541 PNG_FP_1) == 0)
1542 return 1;
1543
1544 return 0; /*success*/
1545}
1546
1547static int
1548png_XYZ_normalize(png_XYZ *XYZ)
1549{
1550 png_int_32 Y;
1551
1552 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1553 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1554 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1555 return 1;
1556
1557 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1558 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1559 * relying on addition of two positive values producing a negative one is not
1560 * safe.
1561 */
1562 Y = XYZ->red_Y;
1563 if (0x7fffffff - Y < XYZ->green_X)
1564 return 1;
1565 Y += XYZ->green_Y;
1566 if (0x7fffffff - Y < XYZ->blue_X)
1567 return 1;
1568 Y += XYZ->blue_Y;
1569
1570 if (Y != PNG_FP_1)
1571 {
1572 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1573 return 1;
1574 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1575 return 1;
1576 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1577 return 1;
1578
1579 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1580 return 1;
1581 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1582 return 1;
1583 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1584 return 1;
1585
1586 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1587 return 1;
1588 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1589 return 1;
1590 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1591 return 1;
1592 }
1593
1594 return 0;
1595}
1596
1597static int
1598png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1599{
1600 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1601 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1602 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1603 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) ||
1604 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) ||
1605 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1606 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1607 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) ||
1608 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta))
1609 return 0;
1610 return 1;
1611}
1612
1613/* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1614 * chunk chromaticities. Earlier checks used to simply look for the overflow
1615 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1616 * because the chromaticity values are not all distinct.) Despite this it is
1617 * theoretically possible to produce chromaticities that are apparently valid
1618 * but that rapidly degrade to invalid, potentially crashing, sets because of
1619 * arithmetic inaccuracies when calculations are performed on them. The new
1620 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1621 * within a small percentage of the original.
1622 */
1623static int
1624png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1625{
1626 int result;
1627 png_xy xy_test;
1628
1629 /* As a side-effect this routine also returns the XYZ endpoints. */
1630 result = png_XYZ_from_xy(XYZ, xy);
1631 if (result != 0)
1632 return result;
1633
1634 result = png_xy_from_XYZ(&xy_test, XYZ);
1635 if (result != 0)
1636 return result;
1637
1638 if (png_colorspace_endpoints_match(xy, &xy_test,
1639 5/*actually, the math is pretty accurate*/) != 0)
1640 return 0;
1641
1642 /* Too much slip */
1643 return 1;
1644}
1645
1646/* This is the check going the other way. The XYZ is modified to normalize it
1647 * (another side-effect) and the xy chromaticities are returned.
1648 */
1649static int
1650png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1651{
1652 int result;
1653 png_XYZ XYZtemp;
1654
1655 result = png_XYZ_normalize(XYZ);
1656 if (result != 0)
1657 return result;
1658
1659 result = png_xy_from_XYZ(xy, XYZ);
1660 if (result != 0)
1661 return result;
1662
1663 XYZtemp = *XYZ;
1664 return png_colorspace_check_xy(&XYZtemp, xy);
1665}
1666
1667/* Used to check for an endpoint match against sRGB */
1668static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1669{
1670 /* color x y */
1671 /* red */ 64000, 33000,
1672 /* green */ 30000, 60000,
1673 /* blue */ 15000, 6000,
1674 /* white */ 31270, 32900
1675};
1676
1677static int
1678png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1679 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1680 int preferred)
1681{
1682 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1683 return 0;
1684
1685 /* The consistency check is performed on the chromaticities; this factors out
1686 * variations because of the normalization (or not) of the end point Y
1687 * values.
1688 */
1689 if (preferred < 2 &&
1690 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1691 {
1692 /* The end points must be reasonably close to any we already have. The
1693 * following allows an error of up to +/-.001
1694 */
1695 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1696 100) == 0)
1697 {
1698 colorspace->flags |= PNG_COLORSPACE_INVALID;
1699 png_benign_error(png_ptr, "inconsistent chromaticities");
1700 return 0; /* failed */
1701 }
1702
1703 /* Only overwrite with preferred values */
1704 if (preferred == 0)
1705 return 1; /* ok, but no change */
1706 }
1707
1708 colorspace->end_points_xy = *xy;
1709 colorspace->end_points_XYZ = *XYZ;
1710 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1711
1712 /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1713 * on this test.
1714 */
1715 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1716 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1717
1718 else
1719 colorspace->flags &= PNG_COLORSPACE_CANCEL(
1720 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1721
1722 return 2; /* ok and changed */
1723}
1724
1725int /* PRIVATE */
1726png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1727 png_colorspacerp colorspace, const png_xy *xy, int preferred)
1728{
1729 /* We must check the end points to ensure they are reasonable - in the past
1730 * color management systems have crashed as a result of getting bogus
1731 * colorant values, while this isn't the fault of libpng it is the
1732 * responsibility of libpng because PNG carries the bomb and libpng is in a
1733 * position to protect against it.
1734 */
1735 png_XYZ XYZ;
1736
1737 switch (png_colorspace_check_xy(&XYZ, xy))
1738 {
1739 case 0: /* success */
1740 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1741 preferred);
1742
1743 case 1:
1744 /* We can't invert the chromaticities so we can't produce value XYZ
1745 * values. Likely as not a color management system will fail too.
1746 */
1747 colorspace->flags |= PNG_COLORSPACE_INVALID;
1748 png_benign_error(png_ptr, "invalid chromaticities");
1749 break;
1750
1751 default:
1752 /* libpng is broken; this should be a warning but if it happens we
1753 * want error reports so for the moment it is an error.
1754 */
1755 colorspace->flags |= PNG_COLORSPACE_INVALID;
1756 png_error(png_ptr, "internal error checking chromaticities");
1757 }
1758
1759 return 0; /* failed */
1760}
1761
1762int /* PRIVATE */
1763png_colorspace_set_endpoints(png_const_structrp png_ptr,
1764 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1765{
1766 png_XYZ XYZ = *XYZ_in;
1767 png_xy xy;
1768
1769 switch (png_colorspace_check_XYZ(&xy, &XYZ))
1770 {
1771 case 0:
1772 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1773 preferred);
1774
1775 case 1:
1776 /* End points are invalid. */
1777 colorspace->flags |= PNG_COLORSPACE_INVALID;
1778 png_benign_error(png_ptr, "invalid end points");
1779 break;
1780
1781 default:
1782 colorspace->flags |= PNG_COLORSPACE_INVALID;
1783 png_error(png_ptr, "internal error checking chromaticities");
1784 }
1785
1786 return 0; /* failed */
1787}
1788
1789#if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1790/* Error message generation */
1791static char
1792png_icc_tag_char(png_uint_32 byte)
1793{
1794 byte &= 0xff;
1795 if (byte >= 32 && byte <= 126)
1796 return (char)byte;
1797 else
1798 return '?';
1799}
1800
1801static void
1802png_icc_tag_name(char *name, png_uint_32 tag)
1803{
1804 name[0] = '\'';
1805 name[1] = png_icc_tag_char(tag >> 24);
1806 name[2] = png_icc_tag_char(tag >> 16);
1807 name[3] = png_icc_tag_char(tag >> 8);
1808 name[4] = png_icc_tag_char(tag );
1809 name[5] = '\'';
1810}
1811
1812static int
1813is_ICC_signature_char(png_alloc_size_t it)
1814{
1815 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1816 (it >= 97 && it <= 122);
1817}
1818
1819static int
1820is_ICC_signature(png_alloc_size_t it)
1821{
1822 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1823 is_ICC_signature_char((it >> 16) & 0xff) &&
1824 is_ICC_signature_char((it >> 8) & 0xff) &&
1825 is_ICC_signature_char(it & 0xff);
1826}
1827
1828static int
1829png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1830 png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1831{
1832 size_t pos;
1833 char message[196]; /* see below for calculation */
1834
1835 if (colorspace != NULL)
1836 colorspace->flags |= PNG_COLORSPACE_INVALID;
1837
1838 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1839 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1840 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1841 if (is_ICC_signature(value) != 0)
1842 {
1843 /* So 'value' is at most 4 bytes and the following cast is safe */
1844 png_icc_tag_name(message+pos, (png_uint_32)value);
1845 pos += 6; /* total +8; less than the else clause */
1846 message[pos++] = ':';
1847 message[pos++] = ' ';
1848 }
1849# ifdef PNG_WARNINGS_SUPPORTED
1850 else
1851 {
1852 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1853
1854 pos = png_safecat(message, (sizeof message), pos,
1855 png_format_number(number, number+(sizeof number),
1856 PNG_NUMBER_FORMAT_x, value));
1857 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1858 }
1859# endif
1860 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1861 pos = png_safecat(message, (sizeof message), pos, reason);
1862 PNG_UNUSED(pos)
1863
1864 /* This is recoverable, but make it unconditionally an app_error on write to
1865 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1866 * on read, with a warning, but on write unless the app turns off
1867 * application errors the PNG won't be written.)
1868 */
1869 png_chunk_report(png_ptr, message,
1870 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1871
1872 return 0;
1873}
1874#endif /* sRGB || iCCP */
1875
1876#ifdef PNG_sRGB_SUPPORTED
1877int /* PRIVATE */
1878png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1879 int intent)
1880{
1881 /* sRGB sets known gamma, end points and (from the chunk) intent. */
1882 /* IMPORTANT: these are not necessarily the values found in an ICC profile
1883 * because ICC profiles store values adapted to a D50 environment; it is
1884 * expected that the ICC profile mediaWhitePointTag will be D50; see the
1885 * checks and code elsewhere to understand this better.
1886 *
1887 * These XYZ values, which are accurate to 5dp, produce rgb to gray
1888 * coefficients of (6968,23435,2366), which are reduced (because they add up
1889 * to 32769 not 32768) to (6968,23434,2366). These are the values that
1890 * libpng has traditionally used (and are the best values given the 15bit
1891 * algorithm used by the rgb to gray code.)
1892 */
1893 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1894 {
1895 /* color X Y Z */
1896 /* red */ 41239, 21264, 1933,
1897 /* green */ 35758, 71517, 11919,
1898 /* blue */ 18048, 7219, 95053
1899 };
1900
1901 /* Do nothing if the colorspace is already invalidated. */
1902 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1903 return 0;
1904
1905 /* Check the intent, then check for existing settings. It is valid for the
1906 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1907 * be consistent with the correct values. If, however, this function is
1908 * called below because an iCCP chunk matches sRGB then it is quite
1909 * conceivable that an older app recorded incorrect gAMA and cHRM because of
1910 * an incorrect calculation based on the values in the profile - this does
1911 * *not* invalidate the profile (though it still produces an error, which can
1912 * be ignored.)
1913 */
1914 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1915 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1916 (png_alloc_size_t)intent, "invalid sRGB rendering intent");
1917
1918 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1919 colorspace->rendering_intent != intent)
1920 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1921 (png_alloc_size_t)intent, "inconsistent rendering intents");
1922
1923 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1924 {
1925 png_benign_error(png_ptr, "duplicate sRGB information ignored");
1926 return 0;
1927 }
1928
1929 /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1930 * warn but overwrite the value with the correct one.
1931 */
1932 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1933 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1934 100))
1935 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1936 PNG_CHUNK_ERROR);
1937
1938 /* This check is just done for the error reporting - the routine always
1939 * returns true when the 'from' argument corresponds to sRGB (2).
1940 */
1941 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1942 2/*from sRGB*/);
1943
1944 /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1945 colorspace->rendering_intent = (png_uint_16)intent;
1946 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1947
1948 /* endpoints */
1949 colorspace->end_points_xy = sRGB_xy;
1950 colorspace->end_points_XYZ = sRGB_XYZ;
1951 colorspace->flags |=
1952 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1953
1954 /* gamma */
1955 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1956 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1957
1958 /* Finally record that we have an sRGB profile */
1959 colorspace->flags |=
1960 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1961
1962 return 1; /* set */
1963}
1964#endif /* sRGB */
1965
1966#ifdef PNG_iCCP_SUPPORTED
1967/* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value
1968 * is XYZ(0.9642,1.0,0.8249), which scales to:
1969 *
1970 * (63189.8112, 65536, 54060.6464)
1971 */
1972static const png_byte D50_nCIEXYZ[12] =
1973 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1974
1975static int /* bool */
1976icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1977 png_const_charp name, png_uint_32 profile_length)
1978{
1979 if (profile_length < 132)
1980 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1981 "too short");
1982 return 1;
1983}
1984
1985#ifdef PNG_READ_iCCP_SUPPORTED
1986int /* PRIVATE */
1987png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1988 png_const_charp name, png_uint_32 profile_length)
1989{
1990 if (!icc_check_length(png_ptr, colorspace, name, profile_length))
1991 return 0;
1992
1993 /* This needs to be here because the 'normal' check is in
1994 * png_decompress_chunk, yet this happens after the attempt to
1995 * png_malloc_base the required data. We only need this on read; on write
1996 * the caller supplies the profile buffer so libpng doesn't allocate it. See
1997 * the call to icc_check_length below (the write case).
1998 */
1999# ifdef PNG_SET_USER_LIMITS_SUPPORTED
2000 else if (png_ptr->user_chunk_malloc_max > 0 &&
2001 png_ptr->user_chunk_malloc_max < profile_length)
2002 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2003 "exceeds application limits");
2004# elif PNG_USER_CHUNK_MALLOC_MAX > 0
2005 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
2006 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2007 "exceeds libpng limits");
2008# else /* !SET_USER_LIMITS */
2009 /* This will get compiled out on all 32-bit and better systems. */
2010 else if (PNG_SIZE_MAX < profile_length)
2011 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2012 "exceeds system limits");
2013# endif /* !SET_USER_LIMITS */
2014
2015 return 1;
2016}
2017#endif /* READ_iCCP */
2018
2019int /* PRIVATE */
2020png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2021 png_const_charp name, png_uint_32 profile_length,
2022 png_const_bytep profile/* first 132 bytes only */, int color_type)
2023{
2024 png_uint_32 temp;
2025
2026 /* Length check; this cannot be ignored in this code because profile_length
2027 * is used later to check the tag table, so even if the profile seems over
2028 * long profile_length from the caller must be correct. The caller can fix
2029 * this up on read or write by just passing in the profile header length.
2030 */
2031 temp = png_get_uint_32(profile);
2032 if (temp != profile_length)
2033 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2034 "length does not match profile");
2035
2036 temp = (png_uint_32) (*(profile+8));
2037 if (temp > 3 && (profile_length & 3))
2038 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2039 "invalid length");
2040
2041 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2042 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2043 profile_length < 132+12*temp) /* truncated tag table */
2044 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2045 "tag count too large");
2046
2047 /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2048 * 16 bits.
2049 */
2050 temp = png_get_uint_32(profile+64);
2051 if (temp >= 0xffff) /* The ICC limit */
2052 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2053 "invalid rendering intent");
2054
2055 /* This is just a warning because the profile may be valid in future
2056 * versions.
2057 */
2058 if (temp >= PNG_sRGB_INTENT_LAST)
2059 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2060 "intent outside defined range");
2061
2062 /* At this point the tag table can't be checked because it hasn't necessarily
2063 * been loaded; however, various header fields can be checked. These checks
2064 * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2065 * restricts the profiles that can be passed in an iCCP chunk (they must be
2066 * appropriate to processing PNG data!)
2067 */
2068
2069 /* Data checks (could be skipped). These checks must be independent of the
2070 * version number; however, the version number doesn't accomodate changes in
2071 * the header fields (just the known tags and the interpretation of the
2072 * data.)
2073 */
2074 temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2075 if (temp != 0x61637370)
2076 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2077 "invalid signature");
2078
2079 /* Currently the PCS illuminant/adopted white point (the computational
2080 * white point) are required to be D50,
2081 * however the profile contains a record of the illuminant so perhaps ICC
2082 * expects to be able to change this in the future (despite the rationale in
2083 * the introduction for using a fixed PCS adopted white.) Consequently the
2084 * following is just a warning.
2085 */
2086 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2087 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2088 "PCS illuminant is not D50");
2089
2090 /* The PNG spec requires this:
2091 * "If the iCCP chunk is present, the image samples conform to the colour
2092 * space represented by the embedded ICC profile as defined by the
2093 * International Color Consortium [ICC]. The colour space of the ICC profile
2094 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2095 * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2096 * and 4)."
2097 *
2098 * This checking code ensures the embedded profile (on either read or write)
2099 * conforms to the specification requirements. Notice that an ICC 'gray'
2100 * color-space profile contains the information to transform the monochrome
2101 * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2102 * should be used in preference to the standard libpng K channel replication
2103 * into R, G and B channels.
2104 *
2105 * Previously it was suggested that an RGB profile on grayscale data could be
2106 * handled. However it it is clear that using an RGB profile in this context
2107 * must be an error - there is no specification of what it means. Thus it is
2108 * almost certainly more correct to ignore the profile.
2109 */
2110 temp = png_get_uint_32(profile+16); /* data colour space field */
2111 switch (temp)
2112 {
2113 case 0x52474220: /* 'RGB ' */
2114 if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2115 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2116 "RGB color space not permitted on grayscale PNG");
2117 break;
2118
2119 case 0x47524159: /* 'GRAY' */
2120 if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2121 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2122 "Gray color space not permitted on RGB PNG");
2123 break;
2124
2125 default:
2126 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2127 "invalid ICC profile color space");
2128 }
2129
2130 /* It is up to the application to check that the profile class matches the
2131 * application requirements; the spec provides no guidance, but it's pretty
2132 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2133 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
2134 * cases. Issue an error for device link or abstract profiles - these don't
2135 * contain the records necessary to transform the color-space to anything
2136 * other than the target device (and not even that for an abstract profile).
2137 * Profiles of these classes may not be embedded in images.
2138 */
2139 temp = png_get_uint_32(profile+12); /* profile/device class */
2140 switch (temp)
2141 {
2142 case 0x73636e72: /* 'scnr' */
2143 case 0x6d6e7472: /* 'mntr' */
2144 case 0x70727472: /* 'prtr' */
2145 case 0x73706163: /* 'spac' */
2146 /* All supported */
2147 break;
2148
2149 case 0x61627374: /* 'abst' */
2150 /* May not be embedded in an image */
2151 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2152 "invalid embedded Abstract ICC profile");
2153
2154 case 0x6c696e6b: /* 'link' */
2155 /* DeviceLink profiles cannot be interpreted in a non-device specific
2156 * fashion, if an app uses the AToB0Tag in the profile the results are
2157 * undefined unless the result is sent to the intended device,
2158 * therefore a DeviceLink profile should not be found embedded in a
2159 * PNG.
2160 */
2161 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2162 "unexpected DeviceLink ICC profile class");
2163
2164 case 0x6e6d636c: /* 'nmcl' */
2165 /* A NamedColor profile is also device specific, however it doesn't
2166 * contain an AToB0 tag that is open to misinterpretation. Almost
2167 * certainly it will fail the tests below.
2168 */
2169 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2170 "unexpected NamedColor ICC profile class");
2171 break;
2172
2173 default:
2174 /* To allow for future enhancements to the profile accept unrecognized
2175 * profile classes with a warning, these then hit the test below on the
2176 * tag content to ensure they are backward compatible with one of the
2177 * understood profiles.
2178 */
2179 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2180 "unrecognized ICC profile class");
2181 break;
2182 }
2183
2184 /* For any profile other than a device link one the PCS must be encoded
2185 * either in XYZ or Lab.
2186 */
2187 temp = png_get_uint_32(profile+20);
2188 switch (temp)
2189 {
2190 case 0x58595a20: /* 'XYZ ' */
2191 case 0x4c616220: /* 'Lab ' */
2192 break;
2193
2194 default:
2195 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2196 "unexpected ICC PCS encoding");
2197 }
2198
2199 return 1;
2200}
2201
2202int /* PRIVATE */
2203png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2204 png_const_charp name, png_uint_32 profile_length,
2205 png_const_bytep profile /* header plus whole tag table */)
2206{
2207 png_uint_32 tag_count = png_get_uint_32(profile+128);
2208 png_uint_32 itag;
2209 png_const_bytep tag = profile+132; /* The first tag */
2210
2211 /* First scan all the tags in the table and add bits to the icc_info value
2212 * (temporarily in 'tags').
2213 */
2214 for (itag=0; itag < tag_count; ++itag, tag += 12)
2215 {
2216 png_uint_32 tag_id = png_get_uint_32(tag+0);
2217 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2218 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2219
2220 /* The ICC specification does not exclude zero length tags, therefore the
2221 * start might actually be anywhere if there is no data, but this would be
2222 * a clear abuse of the intent of the standard so the start is checked for
2223 * being in range. All defined tag types have an 8 byte header - a 4 byte
2224 * type signature then 0.
2225 */
2226
2227 /* This is a hard error; potentially it can cause read outside the
2228 * profile.
2229 */
2230 if (tag_start > profile_length || tag_length > profile_length - tag_start)
2231 return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2232 "ICC profile tag outside profile");
2233
2234 if ((tag_start & 3) != 0)
2235 {
2236 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
2237 * only a warning here because libpng does not care about the
2238 * alignment.
2239 */
2240 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2241 "ICC profile tag start not a multiple of 4");
2242 }
2243 }
2244
2245 return 1; /* success, maybe with warnings */
2246}
2247
2248#ifdef PNG_sRGB_SUPPORTED
2249#if PNG_sRGB_PROFILE_CHECKS >= 0
2250/* Information about the known ICC sRGB profiles */
2251static const struct
2252{
2253 png_uint_32 adler, crc, length;
2254 png_uint_32 md5[4];
2255 png_byte have_md5;
2256 png_byte is_broken;
2257 png_uint_16 intent;
2258
2259# define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2260# define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2261 { adler, crc, length, md5, broke, intent },
2262
2263} png_sRGB_checks[] =
2264{
2265 /* This data comes from contrib/tools/checksum-icc run on downloads of
2266 * all four ICC sRGB profiles from www.color.org.
2267 */
2268 /* adler32, crc32, MD5[4], intent, date, length, file-name */
2269 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2270 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2271 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2272
2273 /* ICC sRGB v2 perceptual no black-compensation: */
2274 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2275 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2276 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2277
2278 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2279 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2280 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2281
2282 /* ICC sRGB v4 perceptual */
2283 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2284 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2285 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2286
2287 /* The following profiles have no known MD5 checksum. If there is a match
2288 * on the (empty) MD5 the other fields are used to attempt a match and
2289 * a warning is produced. The first two of these profiles have a 'cprt' tag
2290 * which suggests that they were also made by Hewlett Packard.
2291 */
2292 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2293 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2294 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2295
2296 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2297 * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2298 * so the white point is recorded as the un-adapted value.) The profiles
2299 * below only differ in one byte - the intent - and are basically the same as
2300 * the previous profile except for the mediaWhitePointTag error and a missing
2301 * chromaticAdaptationTag.
2302 */
2303 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2304 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2305 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2306
2307 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2308 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2309 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2310};
2311
2312static int
2313png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2314 png_const_bytep profile, uLong adler)
2315{
2316 /* The quick check is to verify just the MD5 signature and trust the
2317 * rest of the data. Because the profile has already been verified for
2318 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2319 * field too, so if the profile has been edited with an intent not defined
2320 * by sRGB (but maybe defined by a later ICC specification) the read of
2321 * the profile will fail at that point.
2322 */
2323
2324 png_uint_32 length = 0;
2325 png_uint_32 intent = 0x10000; /* invalid */
2326#if PNG_sRGB_PROFILE_CHECKS > 1
2327 uLong crc = 0; /* the value for 0 length data */
2328#endif
2329 unsigned int i;
2330
2331#ifdef PNG_SET_OPTION_SUPPORTED
2332 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2333 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2334 PNG_OPTION_ON)
2335 return 0;
2336#endif
2337
2338 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2339 {
2340 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2341 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2342 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2343 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2344 {
2345 /* This may be one of the old HP profiles without an MD5, in that
2346 * case we can only use the length and Adler32 (note that these
2347 * are not used by default if there is an MD5!)
2348 */
2349# if PNG_sRGB_PROFILE_CHECKS == 0
2350 if (png_sRGB_checks[i].have_md5 != 0)
2351 return 1+png_sRGB_checks[i].is_broken;
2352# endif
2353
2354 /* Profile is unsigned or more checks have been configured in. */
2355 if (length == 0)
2356 {
2357 length = png_get_uint_32(profile);
2358 intent = png_get_uint_32(profile+64);
2359 }
2360
2361 /* Length *and* intent must match */
2362 if (length == (png_uint_32) png_sRGB_checks[i].length &&
2363 intent == (png_uint_32) png_sRGB_checks[i].intent)
2364 {
2365 /* Now calculate the adler32 if not done already. */
2366 if (adler == 0)
2367 {
2368 adler = adler32(0, NULL, 0);
2369 adler = adler32(adler, profile, length);
2370 }
2371
2372 if (adler == png_sRGB_checks[i].adler)
2373 {
2374 /* These basic checks suggest that the data has not been
2375 * modified, but if the check level is more than 1 perform
2376 * our own crc32 checksum on the data.
2377 */
2378# if PNG_sRGB_PROFILE_CHECKS > 1
2379 if (crc == 0)
2380 {
2381 crc = crc32(0, NULL, 0);
2382 crc = crc32(crc, profile, length);
2383 }
2384
2385 /* So this check must pass for the 'return' below to happen.
2386 */
2387 if (crc == png_sRGB_checks[i].crc)
2388# endif
2389 {
2390 if (png_sRGB_checks[i].is_broken != 0)
2391 {
2392 /* These profiles are known to have bad data that may cause
2393 * problems if they are used, therefore attempt to
2394 * discourage their use, skip the 'have_md5' warning below,
2395 * which is made irrelevant by this error.
2396 */
2397 png_chunk_report(png_ptr, "known incorrect sRGB profile",
2398 PNG_CHUNK_ERROR);
2399 }
2400
2401 /* Warn that this being done; this isn't even an error since
2402 * the profile is perfectly valid, but it would be nice if
2403 * people used the up-to-date ones.
2404 */
2405 else if (png_sRGB_checks[i].have_md5 == 0)
2406 {
2407 png_chunk_report(png_ptr,
2408 "out-of-date sRGB profile with no signature",
2409 PNG_CHUNK_WARNING);
2410 }
2411
2412 return 1+png_sRGB_checks[i].is_broken;
2413 }
2414 }
2415
2416# if PNG_sRGB_PROFILE_CHECKS > 0
2417 /* The signature matched, but the profile had been changed in some
2418 * way. This probably indicates a data error or uninformed hacking.
2419 * Fall through to "no match".
2420 */
2421 png_chunk_report(png_ptr,
2422 "Not recognizing known sRGB profile that has been edited",
2423 PNG_CHUNK_WARNING);
2424 break;
2425# endif
2426 }
2427 }
2428 }
2429
2430 return 0; /* no match */
2431}
2432
2433void /* PRIVATE */
2434png_icc_set_sRGB(png_const_structrp png_ptr,
2435 png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2436{
2437 /* Is this profile one of the known ICC sRGB profiles? If it is, just set
2438 * the sRGB information.
2439 */
2440 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2441 (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2442 (int)/*already checked*/png_get_uint_32(profile+64));
2443}
2444#endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2445#endif /* sRGB */
2446
2447int /* PRIVATE */
2448png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2449 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2450 int color_type)
2451{
2452 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2453 return 0;
2454
2455 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2456 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2457 color_type) != 0 &&
2458 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2459 profile) != 0)
2460 {
2461# if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2462 /* If no sRGB support, don't try storing sRGB information */
2463 png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2464# endif
2465 return 1;
2466 }
2467
2468 /* Failure case */
2469 return 0;
2470}
2471#endif /* iCCP */
2472
2473#ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2474void /* PRIVATE */
2475png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2476{
2477 /* Set the rgb_to_gray coefficients from the colorspace. */
2478 if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2479 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2480 {
2481 /* png_set_background has not been called, get the coefficients from the Y
2482 * values of the colorspace colorants.
2483 */
2484 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2485 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2486 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2487 png_fixed_point total = r+g+b;
2488
2489 if (total > 0 &&
2490 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2491 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2492 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2493 r+g+b <= 32769)
2494 {
2495 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
2496 * all of the coefficients were rounded up. Handle this by
2497 * reducing the *largest* coefficient by 1; this matches the
2498 * approach used for the default coefficients in pngrtran.c
2499 */
2500 int add = 0;
2501
2502 if (r+g+b > 32768)
2503 add = -1;
2504 else if (r+g+b < 32768)
2505 add = 1;
2506
2507 if (add != 0)
2508 {
2509 if (g >= r && g >= b)
2510 g += add;
2511 else if (r >= g && r >= b)
2512 r += add;
2513 else
2514 b += add;
2515 }
2516
2517 /* Check for an internal error. */
2518 if (r+g+b != 32768)
2519 png_error(png_ptr,
2520 "internal error handling cHRM coefficients");
2521
2522 else
2523 {
2524 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
2525 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2526 }
2527 }
2528
2529 /* This is a png_error at present even though it could be ignored -
2530 * it should never happen, but it is important that if it does, the
2531 * bug is fixed.
2532 */
2533 else
2534 png_error(png_ptr, "internal error handling cHRM->XYZ");
2535 }
2536}
2537#endif /* READ_RGB_TO_GRAY */
2538
2539#endif /* COLORSPACE */
2540
2541#ifdef __GNUC__
2542/* This exists solely to work round a warning from GNU C. */
2543static int /* PRIVATE */
2544png_gt(size_t a, size_t b)
2545{
2546 return a > b;
2547}
2548#else
2549# define png_gt(a,b) ((a) > (b))
2550#endif
2551
2552void /* PRIVATE */
2553png_check_IHDR(png_const_structrp png_ptr,
2554 png_uint_32 width, png_uint_32 height, int bit_depth,
2555 int color_type, int interlace_type, int compression_type,
2556 int filter_type)
2557{
2558 int error = 0;
2559
2560 /* Check for width and height valid values */
2561 if (width == 0)
2562 {
2563 png_warning(png_ptr, "Image width is zero in IHDR");
2564 error = 1;
2565 }
2566
2567 if (width > PNG_UINT_31_MAX)
2568 {
2569 png_warning(png_ptr, "Invalid image width in IHDR");
2570 error = 1;
2571 }
2572
2573 if (png_gt(((width + 7) & (~7U)),
2574 ((PNG_SIZE_MAX
2575 - 48 /* big_row_buf hack */
2576 - 1) /* filter byte */
2577 / 8) /* 8-byte RGBA pixels */
2578 - 1)) /* extra max_pixel_depth pad */
2579 {
2580 /* The size of the row must be within the limits of this architecture.
2581 * Because the read code can perform arbitrary transformations the
2582 * maximum size is checked here. Because the code in png_read_start_row
2583 * adds extra space "for safety's sake" in several places a conservative
2584 * limit is used here.
2585 *
2586 * NOTE: it would be far better to check the size that is actually used,
2587 * but the effect in the real world is minor and the changes are more
2588 * extensive, therefore much more dangerous and much more difficult to
2589 * write in a way that avoids compiler warnings.
2590 */
2591 png_warning(png_ptr, "Image width is too large for this architecture");
2592 error = 1;
2593 }
2594
2595#ifdef PNG_SET_USER_LIMITS_SUPPORTED
2596 if (width > png_ptr->user_width_max)
2597#else
2598 if (width > PNG_USER_WIDTH_MAX)
2599#endif
2600 {
2601 png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2602 error = 1;
2603 }
2604
2605 if (height == 0)
2606 {
2607 png_warning(png_ptr, "Image height is zero in IHDR");
2608 error = 1;
2609 }
2610
2611 if (height > PNG_UINT_31_MAX)
2612 {
2613 png_warning(png_ptr, "Invalid image height in IHDR");
2614 error = 1;
2615 }
2616
2617#ifdef PNG_SET_USER_LIMITS_SUPPORTED
2618 if (height > png_ptr->user_height_max)
2619#else
2620 if (height > PNG_USER_HEIGHT_MAX)
2621#endif
2622 {
2623 png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2624 error = 1;
2625 }
2626
2627 /* Check other values */
2628 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2629 bit_depth != 8 && bit_depth != 16)
2630 {
2631 png_warning(png_ptr, "Invalid bit depth in IHDR");
2632 error = 1;
2633 }
2634
2635 if (color_type < 0 || color_type == 1 ||
2636 color_type == 5 || color_type > 6)
2637 {
2638 png_warning(png_ptr, "Invalid color type in IHDR");
2639 error = 1;
2640 }
2641
2642 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2643 ((color_type == PNG_COLOR_TYPE_RGB ||
2644 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2645 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2646 {
2647 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2648 error = 1;
2649 }
2650
2651 if (interlace_type >= PNG_INTERLACE_LAST)
2652 {
2653 png_warning(png_ptr, "Unknown interlace method in IHDR");
2654 error = 1;
2655 }
2656
2657 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2658 {
2659 png_warning(png_ptr, "Unknown compression method in IHDR");
2660 error = 1;
2661 }
2662
2663#ifdef PNG_MNG_FEATURES_SUPPORTED
2664 /* Accept filter_method 64 (intrapixel differencing) only if
2665 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2666 * 2. Libpng did not read a PNG signature (this filter_method is only
2667 * used in PNG datastreams that are embedded in MNG datastreams) and
2668 * 3. The application called png_permit_mng_features with a mask that
2669 * included PNG_FLAG_MNG_FILTER_64 and
2670 * 4. The filter_method is 64 and
2671 * 5. The color_type is RGB or RGBA
2672 */
2673 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2674 png_ptr->mng_features_permitted != 0)
2675 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2676
2677 if (filter_type != PNG_FILTER_TYPE_BASE)
2678 {
2679 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2680 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2681 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2682 (color_type == PNG_COLOR_TYPE_RGB ||
2683 color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2684 {
2685 png_warning(png_ptr, "Unknown filter method in IHDR");
2686 error = 1;
2687 }
2688
2689 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2690 {
2691 png_warning(png_ptr, "Invalid filter method in IHDR");
2692 error = 1;
2693 }
2694 }
2695
2696#else
2697 if (filter_type != PNG_FILTER_TYPE_BASE)
2698 {
2699 png_warning(png_ptr, "Unknown filter method in IHDR");
2700 error = 1;
2701 }
2702#endif
2703
2704 if (error == 1)
2705 png_error(png_ptr, "Invalid IHDR data");
2706}
2707
2708#if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2709/* ASCII to fp functions */
2710/* Check an ASCII formated floating point value, see the more detailed
2711 * comments in pngpriv.h
2712 */
2713/* The following is used internally to preserve the sticky flags */
2714#define png_fp_add(state, flags) ((state) |= (flags))
2715#define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2716
2717int /* PRIVATE */
2718png_check_fp_number(png_const_charp string, png_size_t size, int *statep,
2719 png_size_tp whereami)
2720{
2721 int state = *statep;
2722 png_size_t i = *whereami;
2723
2724 while (i < size)
2725 {
2726 int type;
2727 /* First find the type of the next character */
2728 switch (string[i])
2729 {
2730 case 43: type = PNG_FP_SAW_SIGN; break;
2731 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2732 case 46: type = PNG_FP_SAW_DOT; break;
2733 case 48: type = PNG_FP_SAW_DIGIT; break;
2734 case 49: case 50: case 51: case 52:
2735 case 53: case 54: case 55: case 56:
2736 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2737 case 69:
2738 case 101: type = PNG_FP_SAW_E; break;
2739 default: goto PNG_FP_End;
2740 }
2741
2742 /* Now deal with this type according to the current
2743 * state, the type is arranged to not overlap the
2744 * bits of the PNG_FP_STATE.
2745 */
2746 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2747 {
2748 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2749 if ((state & PNG_FP_SAW_ANY) != 0)
2750 goto PNG_FP_End; /* not a part of the number */
2751
2752 png_fp_add(state, type);
2753 break;
2754
2755 case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2756 /* Ok as trailer, ok as lead of fraction. */
2757 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2758 goto PNG_FP_End;
2759
2760 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2761 png_fp_add(state, type);
2762
2763 else
2764 png_fp_set(state, PNG_FP_FRACTION | type);
2765
2766 break;
2767
2768 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2769 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2770 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2771
2772 png_fp_add(state, type | PNG_FP_WAS_VALID);
2773
2774 break;
2775
2776 case PNG_FP_INTEGER + PNG_FP_SAW_E:
2777 if ((state & PNG_FP_SAW_DIGIT) == 0)
2778 goto PNG_FP_End;
2779
2780 png_fp_set(state, PNG_FP_EXPONENT);
2781
2782 break;
2783
2784 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2785 goto PNG_FP_End; ** no sign in fraction */
2786
2787 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2788 goto PNG_FP_End; ** Because SAW_DOT is always set */
2789
2790 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2791 png_fp_add(state, type | PNG_FP_WAS_VALID);
2792 break;
2793
2794 case PNG_FP_FRACTION + PNG_FP_SAW_E:
2795 /* This is correct because the trailing '.' on an
2796 * integer is handled above - so we can only get here
2797 * with the sequence ".E" (with no preceding digits).
2798 */
2799 if ((state & PNG_FP_SAW_DIGIT) == 0)
2800 goto PNG_FP_End;
2801
2802 png_fp_set(state, PNG_FP_EXPONENT);
2803
2804 break;
2805
2806 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2807 if ((state & PNG_FP_SAW_ANY) != 0)
2808 goto PNG_FP_End; /* not a part of the number */
2809
2810 png_fp_add(state, PNG_FP_SAW_SIGN);
2811
2812 break;
2813
2814 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2815 goto PNG_FP_End; */
2816
2817 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2818 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2819
2820 break;
2821
2822 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2823 goto PNG_FP_End; */
2824
2825 default: goto PNG_FP_End; /* I.e. break 2 */
2826 }
2827
2828 /* The character seems ok, continue. */
2829 ++i;
2830 }
2831
2832PNG_FP_End:
2833 /* Here at the end, update the state and return the correct
2834 * return code.
2835 */
2836 *statep = state;
2837 *whereami = i;
2838
2839 return (state & PNG_FP_SAW_DIGIT) != 0;
2840}
2841
2842
2843/* The same but for a complete string. */
2844int
2845png_check_fp_string(png_const_charp string, png_size_t size)
2846{
2847 int state=0;
2848 png_size_t char_index=0;
2849
2850 if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2851 (char_index == size || string[char_index] == 0))
2852 return state /* must be non-zero - see above */;
2853
2854 return 0; /* i.e. fail */
2855}
2856#endif /* pCAL || sCAL */
2857
2858#ifdef PNG_sCAL_SUPPORTED
2859# ifdef PNG_FLOATING_POINT_SUPPORTED
2860/* Utility used below - a simple accurate power of ten from an integral
2861 * exponent.
2862 */
2863static double
2864png_pow10(int power)
2865{
2866 int recip = 0;
2867 double d = 1;
2868
2869 /* Handle negative exponent with a reciprocal at the end because
2870 * 10 is exact whereas .1 is inexact in base 2
2871 */
2872 if (power < 0)
2873 {
2874 if (power < DBL_MIN_10_EXP) return 0;
2875 recip = 1; power = -power;
2876 }
2877
2878 if (power > 0)
2879 {
2880 /* Decompose power bitwise. */
2881 double mult = 10;
2882 do
2883 {
2884 if (power & 1) d *= mult;
2885 mult *= mult;
2886 power >>= 1;
2887 }
2888 while (power > 0);
2889
2890 if (recip != 0) d = 1/d;
2891 }
2892 /* else power is 0 and d is 1 */
2893
2894 return d;
2895}
2896
2897/* Function to format a floating point value in ASCII with a given
2898 * precision.
2899 */
2900#if GCC_STRICT_OVERFLOW
2901#pragma GCC diagnostic push
2902/* The problem arises below with exp_b10, which can never overflow because it
2903 * comes, originally, from frexp and is therefore limited to a range which is
2904 * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)).
2905 */
2906#pragma GCC diagnostic warning "-Wstrict-overflow=2"
2907#endif /* GCC_STRICT_OVERFLOW */
2908void /* PRIVATE */
2909png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size,
2910 double fp, unsigned int precision)
2911{
2912 /* We use standard functions from math.h, but not printf because
2913 * that would require stdio. The caller must supply a buffer of
2914 * sufficient size or we will png_error. The tests on size and
2915 * the space in ascii[] consumed are indicated below.
2916 */
2917 if (precision < 1)
2918 precision = DBL_DIG;
2919
2920 /* Enforce the limit of the implementation precision too. */
2921 if (precision > DBL_DIG+1)
2922 precision = DBL_DIG+1;
2923
2924 /* Basic sanity checks */
2925 if (size >= precision+5) /* See the requirements below. */
2926 {
2927 if (fp < 0)
2928 {
2929 fp = -fp;
2930 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */
2931 --size;
2932 }
2933
2934 if (fp >= DBL_MIN && fp <= DBL_MAX)
2935 {
2936 int exp_b10; /* A base 10 exponent */
2937 double base; /* 10^exp_b10 */
2938
2939 /* First extract a base 10 exponent of the number,
2940 * the calculation below rounds down when converting
2941 * from base 2 to base 10 (multiply by log10(2) -
2942 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2943 * be increased. Note that the arithmetic shift
2944 * performs a floor() unlike C arithmetic - using a
2945 * C multiply would break the following for negative
2946 * exponents.
2947 */
2948 (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2949
2950 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2951
2952 /* Avoid underflow here. */
2953 base = png_pow10(exp_b10); /* May underflow */
2954
2955 while (base < DBL_MIN || base < fp)
2956 {
2957 /* And this may overflow. */
2958 double test = png_pow10(exp_b10+1);
2959
2960 if (test <= DBL_MAX)
2961 {
2962 ++exp_b10; base = test;
2963 }
2964
2965 else
2966 break;
2967 }
2968
2969 /* Normalize fp and correct exp_b10, after this fp is in the
2970 * range [.1,1) and exp_b10 is both the exponent and the digit
2971 * *before* which the decimal point should be inserted
2972 * (starting with 0 for the first digit). Note that this
2973 * works even if 10^exp_b10 is out of range because of the
2974 * test on DBL_MAX above.
2975 */
2976 fp /= base;
2977 while (fp >= 1)
2978 {
2979 fp /= 10; ++exp_b10;
2980 }
2981
2982 /* Because of the code above fp may, at this point, be
2983 * less than .1, this is ok because the code below can
2984 * handle the leading zeros this generates, so no attempt
2985 * is made to correct that here.
2986 */
2987
2988 {
2989 unsigned int czero, clead, cdigits;
2990 char exponent[10];
2991
2992 /* Allow up to two leading zeros - this will not lengthen
2993 * the number compared to using E-n.
2994 */
2995 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2996 {
2997 czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */
2998 exp_b10 = 0; /* Dot added below before first output. */
2999 }
3000 else
3001 czero = 0; /* No zeros to add */
3002
3003 /* Generate the digit list, stripping trailing zeros and
3004 * inserting a '.' before a digit if the exponent is 0.
3005 */
3006 clead = czero; /* Count of leading zeros */
3007 cdigits = 0; /* Count of digits in list. */
3008
3009 do
3010 {
3011 double d;
3012
3013 fp *= 10;
3014 /* Use modf here, not floor and subtract, so that
3015 * the separation is done in one step. At the end
3016 * of the loop don't break the number into parts so
3017 * that the final digit is rounded.
3018 */
3019 if (cdigits+czero+1 < precision+clead)
3020 fp = modf(fp, &d);
3021
3022 else
3023 {
3024 d = floor(fp + .5);
3025
3026 if (d > 9)
3027 {
3028 /* Rounding up to 10, handle that here. */
3029 if (czero > 0)
3030 {
3031 --czero; d = 1;
3032 if (cdigits == 0) --clead;
3033 }
3034 else
3035 {
3036 while (cdigits > 0 && d > 9)
3037 {
3038 int ch = *--ascii;
3039
3040 if (exp_b10 != (-1))
3041 ++exp_b10;
3042
3043 else if (ch == 46)
3044 {
3045 ch = *--ascii; ++size;
3046 /* Advance exp_b10 to '1', so that the
3047 * decimal point happens after the
3048 * previous digit.
3049 */
3050 exp_b10 = 1;
3051 }
3052
3053 --cdigits;
3054 d = ch - 47; /* I.e. 1+(ch-48) */
3055 }
3056
3057 /* Did we reach the beginning? If so adjust the
3058 * exponent but take into account the leading
3059 * decimal point.
3060 */
3061 if (d > 9) /* cdigits == 0 */
3062 {
3063 if (exp_b10 == (-1))
3064 {
3065 /* Leading decimal point (plus zeros?), if
3066 * we lose the decimal point here it must
3067 * be reentered below.
3068 */
3069 int ch = *--ascii;
3070
3071 if (ch == 46)
3072 {
3073 ++size; exp_b10 = 1;
3074 }
3075
3076 /* Else lost a leading zero, so 'exp_b10' is
3077 * still ok at (-1)
3078 */
3079 }
3080 else
3081 ++exp_b10;
3082
3083 /* In all cases we output a '1' */
3084 d = 1;
3085 }
3086 }
3087 }
3088 fp = 0; /* Guarantees termination below. */
3089 }
3090
3091 if (d == 0)
3092 {
3093 ++czero;
3094 if (cdigits == 0) ++clead;
3095 }
3096 else
3097 {
3098 /* Included embedded zeros in the digit count. */
3099 cdigits += czero - clead;
3100 clead = 0;
3101
3102 while (czero > 0)
3103 {
3104 /* exp_b10 == (-1) means we just output the decimal
3105 * place - after the DP don't adjust 'exp_b10' any
3106 * more!
3107 */
3108 if (exp_b10 != (-1))
3109 {
3110 if (exp_b10 == 0)
3111 {
3112 *ascii++ = 46; --size;
3113 }
3114 /* PLUS 1: TOTAL 4 */
3115 --exp_b10;
3116 }
3117 *ascii++ = 48; --czero;
3118 }
3119
3120 if (exp_b10 != (-1))
3121 {
3122 if (exp_b10 == 0)
3123 {
3124 *ascii++ = 46; --size; /* counted above */
3125 }
3126
3127 --exp_b10;
3128 }
3129 *ascii++ = (char)(48 + (int)d); ++cdigits;
3130 }
3131 }
3132 while (cdigits+czero < precision+clead && fp > DBL_MIN);
3133
3134 /* The total output count (max) is now 4+precision */
3135
3136 /* Check for an exponent, if we don't need one we are
3137 * done and just need to terminate the string. At
3138 * this point exp_b10==(-1) is effectively a flag - it got
3139 * to '-1' because of the decrement after outputting
3140 * the decimal point above (the exponent required is
3141 * *not* -1!)
3142 */
3143 if (exp_b10 >= (-1) && exp_b10 <= 2)
3144 {
3145 /* The following only happens if we didn't output the
3146 * leading zeros above for negative exponent, so this
3147 * doesn't add to the digit requirement. Note that the
3148 * two zeros here can only be output if the two leading
3149 * zeros were *not* output, so this doesn't increase
3150 * the output count.
3151 */
3152 while (exp_b10-- > 0) *ascii++ = 48;
3153
3154 *ascii = 0;
3155
3156 /* Total buffer requirement (including the '\0') is
3157 * 5+precision - see check at the start.
3158 */
3159 return;
3160 }
3161
3162 /* Here if an exponent is required, adjust size for
3163 * the digits we output but did not count. The total
3164 * digit output here so far is at most 1+precision - no
3165 * decimal point and no leading or trailing zeros have
3166 * been output.
3167 */
3168 size -= cdigits;
3169
3170 *ascii++ = 69; --size; /* 'E': PLUS 1 TOTAL 2+precision */
3171
3172 /* The following use of an unsigned temporary avoids ambiguities in
3173 * the signed arithmetic on exp_b10 and permits GCC at least to do
3174 * better optimization.
3175 */
3176 {
3177 unsigned int uexp_b10;
3178
3179 if (exp_b10 < 0)
3180 {
3181 *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */
3182 uexp_b10 = 0U-exp_b10;
3183 }
3184
3185 else
3186 uexp_b10 = 0U+exp_b10;
3187
3188 cdigits = 0;
3189
3190 while (uexp_b10 > 0)
3191 {
3192 exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3193 uexp_b10 /= 10;
3194 }
3195 }
3196
3197 /* Need another size check here for the exponent digits, so
3198 * this need not be considered above.
3199 */
3200 if (size > cdigits)
3201 {
3202 while (cdigits > 0) *ascii++ = exponent[--cdigits];
3203
3204 *ascii = 0;
3205
3206 return;
3207 }
3208 }
3209 }
3210 else if (!(fp >= DBL_MIN))
3211 {
3212 *ascii++ = 48; /* '0' */
3213 *ascii = 0;
3214 return;
3215 }
3216 else
3217 {
3218 *ascii++ = 105; /* 'i' */
3219 *ascii++ = 110; /* 'n' */
3220 *ascii++ = 102; /* 'f' */
3221 *ascii = 0;
3222 return;
3223 }
3224 }
3225
3226 /* Here on buffer too small. */
3227 png_error(png_ptr, "ASCII conversion buffer too small");
3228}
3229#if GCC_STRICT_OVERFLOW
3230#pragma GCC diagnostic pop
3231#endif /* GCC_STRICT_OVERFLOW */
3232
3233# endif /* FLOATING_POINT */
3234
3235# ifdef PNG_FIXED_POINT_SUPPORTED
3236/* Function to format a fixed point value in ASCII.
3237 */
3238void /* PRIVATE */
3239png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3240 png_size_t size, png_fixed_point fp)
3241{
3242 /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3243 * trailing \0, 13 characters:
3244 */
3245 if (size > 12)
3246 {
3247 png_uint_32 num;
3248
3249 /* Avoid overflow here on the minimum integer. */
3250 if (fp < 0)
3251 {
3252 *ascii++ = 45; num = (png_uint_32)(-fp);
3253 }
3254 else
3255 num = (png_uint_32)fp;
3256
3257 if (num <= 0x80000000) /* else overflowed */
3258 {
3259 unsigned int ndigits = 0, first = 16 /* flag value */;
3260 char digits[10];
3261
3262 while (num)
3263 {
3264 /* Split the low digit off num: */
3265 unsigned int tmp = num/10;
3266 num -= tmp*10;
3267 digits[ndigits++] = (char)(48 + num);
3268 /* Record the first non-zero digit, note that this is a number
3269 * starting at 1, it's not actually the array index.
3270 */
3271 if (first == 16 && num > 0)
3272 first = ndigits;
3273 num = tmp;
3274 }
3275
3276 if (ndigits > 0)
3277 {
3278 while (ndigits > 5) *ascii++ = digits[--ndigits];
3279 /* The remaining digits are fractional digits, ndigits is '5' or
3280 * smaller at this point. It is certainly not zero. Check for a
3281 * non-zero fractional digit:
3282 */
3283 if (first <= 5)
3284 {
3285 unsigned int i;
3286 *ascii++ = 46; /* decimal point */
3287 /* ndigits may be <5 for small numbers, output leading zeros
3288 * then ndigits digits to first:
3289 */
3290 i = 5;
3291 while (ndigits < i)
3292 {
3293 *ascii++ = 48; --i;
3294 }
3295 while (ndigits >= first) *ascii++ = digits[--ndigits];
3296 /* Don't output the trailing zeros! */
3297 }
3298 }
3299 else
3300 *ascii++ = 48;
3301
3302 /* And null terminate the string: */
3303 *ascii = 0;
3304 return;
3305 }
3306 }
3307
3308 /* Here on buffer too small. */
3309 png_error(png_ptr, "ASCII conversion buffer too small");
3310}
3311# endif /* FIXED_POINT */
3312#endif /* SCAL */
3313
3314#if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3315 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3316 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3317 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3318 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3319 (defined(PNG_sCAL_SUPPORTED) && \
3320 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3321png_fixed_point
3322png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3323{
3324 double r = floor(100000 * fp + .5);
3325
3326 if (r > 2147483647. || r < -2147483648.)
3327 png_fixed_error(png_ptr, text);
3328
3329# ifndef PNG_ERROR_TEXT_SUPPORTED
3330 PNG_UNUSED(text)
3331# endif
3332
3333 return (png_fixed_point)r;
3334}
3335#endif
3336
3337#if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3338 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3339/* muldiv functions */
3340/* This API takes signed arguments and rounds the result to the nearest
3341 * integer (or, for a fixed point number - the standard argument - to
3342 * the nearest .00001). Overflow and divide by zero are signalled in
3343 * the result, a boolean - true on success, false on overflow.
3344 */
3345#if GCC_STRICT_OVERFLOW /* from above */
3346/* It is not obvious which comparison below gets optimized in such a way that
3347 * signed overflow would change the result; looking through the code does not
3348 * reveal any tests which have the form GCC complains about, so presumably the
3349 * optimizer is moving an add or subtract into the 'if' somewhere.
3350 */
3351#pragma GCC diagnostic push
3352#pragma GCC diagnostic warning "-Wstrict-overflow=2"
3353#endif /* GCC_STRICT_OVERFLOW */
3354int
3355png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3356 png_int_32 divisor)
3357{
3358 /* Return a * times / divisor, rounded. */
3359 if (divisor != 0)
3360 {
3361 if (a == 0 || times == 0)
3362 {
3363 *res = 0;
3364 return 1;
3365 }
3366 else
3367 {
3368#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3369 double r = a;
3370 r *= times;
3371 r /= divisor;
3372 r = floor(r+.5);
3373
3374 /* A png_fixed_point is a 32-bit integer. */
3375 if (r <= 2147483647. && r >= -2147483648.)
3376 {
3377 *res = (png_fixed_point)r;
3378 return 1;
3379 }
3380#else
3381 int negative = 0;
3382 png_uint_32 A, T, D;
3383 png_uint_32 s16, s32, s00;
3384
3385 if (a < 0)
3386 negative = 1, A = -a;
3387 else
3388 A = a;
3389
3390 if (times < 0)
3391 negative = !negative, T = -times;
3392 else
3393 T = times;
3394
3395 if (divisor < 0)
3396 negative = !negative, D = -divisor;
3397 else
3398 D = divisor;
3399
3400 /* Following can't overflow because the arguments only
3401 * have 31 bits each, however the result may be 32 bits.
3402 */
3403 s16 = (A >> 16) * (T & 0xffff) +
3404 (A & 0xffff) * (T >> 16);
3405 /* Can't overflow because the a*times bit is only 30
3406 * bits at most.
3407 */
3408 s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3409 s00 = (A & 0xffff) * (T & 0xffff);
3410
3411 s16 = (s16 & 0xffff) << 16;
3412 s00 += s16;
3413
3414 if (s00 < s16)
3415 ++s32; /* carry */
3416
3417 if (s32 < D) /* else overflow */
3418 {
3419 /* s32.s00 is now the 64-bit product, do a standard
3420 * division, we know that s32 < D, so the maximum
3421 * required shift is 31.
3422 */
3423 int bitshift = 32;
3424 png_fixed_point result = 0; /* NOTE: signed */
3425
3426 while (--bitshift >= 0)
3427 {
3428 png_uint_32 d32, d00;
3429
3430 if (bitshift > 0)
3431 d32 = D >> (32-bitshift), d00 = D << bitshift;
3432
3433 else
3434 d32 = 0, d00 = D;
3435
3436 if (s32 > d32)
3437 {
3438 if (s00 < d00) --s32; /* carry */
3439 s32 -= d32, s00 -= d00, result += 1<<bitshift;
3440 }
3441
3442 else
3443 if (s32 == d32 && s00 >= d00)
3444 s32 = 0, s00 -= d00, result += 1<<bitshift;
3445 }
3446
3447 /* Handle the rounding. */
3448 if (s00 >= (D >> 1))
3449 ++result;
3450
3451 if (negative != 0)
3452 result = -result;
3453
3454 /* Check for overflow. */
3455 if ((negative != 0 && result <= 0) ||
3456 (negative == 0 && result >= 0))
3457 {
3458 *res = result;
3459 return 1;
3460 }
3461 }
3462#endif
3463 }
3464 }
3465
3466 return 0;
3467}
3468#if GCC_STRICT_OVERFLOW
3469#pragma GCC diagnostic pop
3470#endif /* GCC_STRICT_OVERFLOW */
3471#endif /* READ_GAMMA || INCH_CONVERSIONS */
3472
3473#if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3474/* The following is for when the caller doesn't much care about the
3475 * result.
3476 */
3477png_fixed_point
3478png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3479 png_int_32 divisor)
3480{
3481 png_fixed_point result;
3482
3483 if (png_muldiv(&result, a, times, divisor) != 0)
3484 return result;
3485
3486 png_warning(png_ptr, "fixed point overflow ignored");
3487 return 0;
3488}
3489#endif
3490
3491#ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3492/* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3493png_fixed_point
3494png_reciprocal(png_fixed_point a)
3495{
3496#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3497 double r = floor(1E10/a+.5);
3498
3499 if (r <= 2147483647. && r >= -2147483648.)
3500 return (png_fixed_point)r;
3501#else
3502 png_fixed_point res;
3503
3504 if (png_muldiv(&res, 100000, 100000, a) != 0)
3505 return res;
3506#endif
3507
3508 return 0; /* error/overflow */
3509}
3510
3511/* This is the shared test on whether a gamma value is 'significant' - whether
3512 * it is worth doing gamma correction.
3513 */
3514int /* PRIVATE */
3515png_gamma_significant(png_fixed_point gamma_val)
3516{
3517 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3518 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3519}
3520#endif
3521
3522#ifdef PNG_READ_GAMMA_SUPPORTED
3523#ifdef PNG_16BIT_SUPPORTED
3524/* A local convenience routine. */
3525static png_fixed_point
3526png_product2(png_fixed_point a, png_fixed_point b)
3527{
3528 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3529#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3530 double r = a * 1E-5;
3531 r *= b;
3532 r = floor(r+.5);
3533
3534 if (r <= 2147483647. && r >= -2147483648.)
3535 return (png_fixed_point)r;
3536#else
3537 png_fixed_point res;
3538
3539 if (png_muldiv(&res, a, b, 100000) != 0)
3540 return res;
3541#endif
3542
3543 return 0; /* overflow */
3544}
3545#endif /* 16BIT */
3546
3547/* The inverse of the above. */
3548png_fixed_point
3549png_reciprocal2(png_fixed_point a, png_fixed_point b)
3550{
3551 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3552#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3553 if (a != 0 && b != 0)
3554 {
3555 double r = 1E15/a;
3556 r /= b;
3557 r = floor(r+.5);
3558
3559 if (r <= 2147483647. && r >= -2147483648.)
3560 return (png_fixed_point)r;
3561 }
3562#else
3563 /* This may overflow because the range of png_fixed_point isn't symmetric,
3564 * but this API is only used for the product of file and screen gamma so it
3565 * doesn't matter that the smallest number it can produce is 1/21474, not
3566 * 1/100000
3567 */
3568 png_fixed_point res = png_product2(a, b);
3569
3570 if (res != 0)
3571 return png_reciprocal(res);
3572#endif
3573
3574 return 0; /* overflow */
3575}
3576#endif /* READ_GAMMA */
3577
3578#ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3579#ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3580/* Fixed point gamma.
3581 *
3582 * The code to calculate the tables used below can be found in the shell script
3583 * contrib/tools/intgamma.sh
3584 *
3585 * To calculate gamma this code implements fast log() and exp() calls using only
3586 * fixed point arithmetic. This code has sufficient precision for either 8-bit
3587 * or 16-bit sample values.
3588 *
3589 * The tables used here were calculated using simple 'bc' programs, but C double
3590 * precision floating point arithmetic would work fine.
3591 *
3592 * 8-bit log table
3593 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3594 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3595 * mantissa. The numbers are 32-bit fractions.
3596 */
3597static const png_uint_32
3598png_8bit_l2[128] =
3599{
3600 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3601 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3602 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3603 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3604 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3605 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3606 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3607 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3608 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3609 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3610 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3611 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3612 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3613 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3614 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3615 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3616 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3617 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3618 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3619 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3620 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3621 24347096U, 0U
3622
3623#if 0
3624 /* The following are the values for 16-bit tables - these work fine for the
3625 * 8-bit conversions but produce very slightly larger errors in the 16-bit
3626 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3627 * use these all the shifts below must be adjusted appropriately.
3628 */
3629 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3630 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3631 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3632 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3633 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3634 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3635 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3636 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3637 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3638 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3639 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3640 1119, 744, 372
3641#endif
3642};
3643
3644static png_int_32
3645png_log8bit(unsigned int x)
3646{
3647 unsigned int lg2 = 0;
3648 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3649 * because the log is actually negate that means adding 1. The final
3650 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3651 * input), return -1 for the overflow (log 0) case, - so the result is
3652 * always at most 19 bits.
3653 */
3654 if ((x &= 0xff) == 0)
3655 return -1;
3656
3657 if ((x & 0xf0) == 0)
3658 lg2 = 4, x <<= 4;
3659
3660 if ((x & 0xc0) == 0)
3661 lg2 += 2, x <<= 2;
3662
3663 if ((x & 0x80) == 0)
3664 lg2 += 1, x <<= 1;
3665
3666 /* result is at most 19 bits, so this cast is safe: */
3667 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3668}
3669
3670/* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3671 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3672 * get an approximation then multiply the approximation by a correction factor
3673 * determined by the remaining up to 8 bits. This requires an additional step
3674 * in the 16-bit case.
3675 *
3676 * We want log2(value/65535), we have log2(v'/255), where:
3677 *
3678 * value = v' * 256 + v''
3679 * = v' * f
3680 *
3681 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3682 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3683 * than 258. The final factor also needs to correct for the fact that our 8-bit
3684 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3685 *
3686 * This gives a final formula using a calculated value 'x' which is value/v' and
3687 * scaling by 65536 to match the above table:
3688 *
3689 * log2(x/257) * 65536
3690 *
3691 * Since these numbers are so close to '1' we can use simple linear
3692 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3693 * (result 367.179). The values used below are scaled by a further 64 to give
3694 * 16-bit precision in the interpolation:
3695 *
3696 * Start (256): -23591
3697 * Zero (257): 0
3698 * End (258): 23499
3699 */
3700#ifdef PNG_16BIT_SUPPORTED
3701static png_int_32
3702png_log16bit(png_uint_32 x)
3703{
3704 unsigned int lg2 = 0;
3705
3706 /* As above, but now the input has 16 bits. */
3707 if ((x &= 0xffff) == 0)
3708 return -1;
3709
3710 if ((x & 0xff00) == 0)
3711 lg2 = 8, x <<= 8;
3712
3713 if ((x & 0xf000) == 0)
3714 lg2 += 4, x <<= 4;
3715
3716 if ((x & 0xc000) == 0)
3717 lg2 += 2, x <<= 2;
3718
3719 if ((x & 0x8000) == 0)
3720 lg2 += 1, x <<= 1;
3721
3722 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3723 * value.
3724 */
3725 lg2 <<= 28;
3726 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3727
3728 /* Now we need to interpolate the factor, this requires a division by the top
3729 * 8 bits. Do this with maximum precision.
3730 */
3731 x = ((x << 16) + (x >> 9)) / (x >> 8);
3732
3733 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3734 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3735 * 16 bits to interpolate to get the low bits of the result. Round the
3736 * answer. Note that the end point values are scaled by 64 to retain overall
3737 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3738 * the overall scaling by 6-12. Round at every step.
3739 */
3740 x -= 1U << 24;
3741
3742 if (x <= 65536U) /* <= '257' */
3743 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3744
3745 else
3746 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3747
3748 /* Safe, because the result can't have more than 20 bits: */
3749 return (png_int_32)((lg2 + 2048) >> 12);
3750}
3751#endif /* 16BIT */
3752
3753/* The 'exp()' case must invert the above, taking a 20-bit fixed point
3754 * logarithmic value and returning a 16 or 8-bit number as appropriate. In
3755 * each case only the low 16 bits are relevant - the fraction - since the
3756 * integer bits (the top 4) simply determine a shift.
3757 *
3758 * The worst case is the 16-bit distinction between 65535 and 65534. This
3759 * requires perhaps spurious accuracy in the decoding of the logarithm to
3760 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3761 * of getting this accuracy in practice.
3762 *
3763 * To deal with this the following exp() function works out the exponent of the
3764 * fractional part of the logarithm by using an accurate 32-bit value from the
3765 * top four fractional bits then multiplying in the remaining bits.
3766 */
3767static const png_uint_32
3768png_32bit_exp[16] =
3769{
3770 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3771 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3772 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3773 2553802834U, 2445529972U, 2341847524U, 2242560872U
3774};
3775
3776/* Adjustment table; provided to explain the numbers in the code below. */
3777#if 0
3778for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3779 11 44937.64284865548751208448
3780 10 45180.98734845585101160448
3781 9 45303.31936980687359311872
3782 8 45364.65110595323018870784
3783 7 45395.35850361789624614912
3784 6 45410.72259715102037508096
3785 5 45418.40724413220722311168
3786 4 45422.25021786898173001728
3787 3 45424.17186732298419044352
3788 2 45425.13273269940811464704
3789 1 45425.61317555035558641664
3790 0 45425.85339951654943850496
3791#endif
3792
3793static png_uint_32
3794png_exp(png_fixed_point x)
3795{
3796 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3797 {
3798 /* Obtain a 4-bit approximation */
3799 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3800
3801 /* Incorporate the low 12 bits - these decrease the returned value by
3802 * multiplying by a number less than 1 if the bit is set. The multiplier
3803 * is determined by the above table and the shift. Notice that the values
3804 * converge on 45426 and this is used to allow linear interpolation of the
3805 * low bits.
3806 */
3807 if (x & 0x800)
3808 e -= (((e >> 16) * 44938U) + 16U) >> 5;
3809
3810 if (x & 0x400)
3811 e -= (((e >> 16) * 45181U) + 32U) >> 6;
3812
3813 if (x & 0x200)
3814 e -= (((e >> 16) * 45303U) + 64U) >> 7;
3815
3816 if (x & 0x100)
3817 e -= (((e >> 16) * 45365U) + 128U) >> 8;
3818
3819 if (x & 0x080)
3820 e -= (((e >> 16) * 45395U) + 256U) >> 9;
3821
3822 if (x & 0x040)
3823 e -= (((e >> 16) * 45410U) + 512U) >> 10;
3824
3825 /* And handle the low 6 bits in a single block. */
3826 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3827
3828 /* Handle the upper bits of x. */
3829 e >>= x >> 16;
3830 return e;
3831 }
3832
3833 /* Check for overflow */
3834 if (x <= 0)
3835 return png_32bit_exp[0];
3836
3837 /* Else underflow */
3838 return 0;
3839}
3840
3841static png_byte
3842png_exp8bit(png_fixed_point lg2)
3843{
3844 /* Get a 32-bit value: */
3845 png_uint_32 x = png_exp(lg2);
3846
3847 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3848 * second, rounding, step can't overflow because of the first, subtraction,
3849 * step.
3850 */
3851 x -= x >> 8;
3852 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3853}
3854
3855#ifdef PNG_16BIT_SUPPORTED
3856static png_uint_16
3857png_exp16bit(png_fixed_point lg2)
3858{
3859 /* Get a 32-bit value: */
3860 png_uint_32 x = png_exp(lg2);
3861
3862 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3863 x -= x >> 16;
3864 return (png_uint_16)((x + 32767U) >> 16);
3865}
3866#endif /* 16BIT */
3867#endif /* FLOATING_ARITHMETIC */
3868
3869png_byte
3870png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3871{
3872 if (value > 0 && value < 255)
3873 {
3874# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3875 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3876 * convert this to a floating point value. This includes values that
3877 * would overflow if 'value' were to be converted to 'int'.
3878 *
3879 * Apparently GCC, however, does an intermediate conversion to (int)
3880 * on some (ARM) but not all (x86) platforms, possibly because of
3881 * hardware FP limitations. (E.g. if the hardware conversion always
3882 * assumes the integer register contains a signed value.) This results
3883 * in ANSI-C undefined behavior for large values.
3884 *
3885 * Other implementations on the same machine might actually be ANSI-C90
3886 * conformant and therefore compile spurious extra code for the large
3887 * values.
3888 *
3889 * We can be reasonably sure that an unsigned to float conversion
3890 * won't be faster than an int to float one. Therefore this code
3891 * assumes responsibility for the undefined behavior, which it knows
3892 * can't happen because of the check above.
3893 *
3894 * Note the argument to this routine is an (unsigned int) because, on
3895 * 16-bit platforms, it is assigned a value which might be out of
3896 * range for an (int); that would result in undefined behavior in the
3897 * caller if the *argument* ('value') were to be declared (int).
3898 */
3899 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3900 return (png_byte)r;
3901# else
3902 png_int_32 lg2 = png_log8bit(value);
3903 png_fixed_point res;
3904
3905 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3906 return png_exp8bit(res);
3907
3908 /* Overflow. */
3909 value = 0;
3910# endif
3911 }
3912
3913 return (png_byte)(value & 0xff);
3914}
3915
3916#ifdef PNG_16BIT_SUPPORTED
3917png_uint_16
3918png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3919{
3920 if (value > 0 && value < 65535)
3921 {
3922# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3923 /* The same (unsigned int)->(double) constraints apply here as above,
3924 * however in this case the (unsigned int) to (int) conversion can
3925 * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3926 * that this is not possible.
3927 */
3928 double r = floor(65535*pow((png_int_32)value/65535.,
3929 gamma_val*.00001)+.5);
3930 return (png_uint_16)r;
3931# else
3932 png_int_32 lg2 = png_log16bit(value);
3933 png_fixed_point res;
3934
3935 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3936 return png_exp16bit(res);
3937
3938 /* Overflow. */
3939 value = 0;
3940# endif
3941 }
3942
3943 return (png_uint_16)value;
3944}
3945#endif /* 16BIT */
3946
3947/* This does the right thing based on the bit_depth field of the
3948 * png_struct, interpreting values as 8-bit or 16-bit. While the result
3949 * is nominally a 16-bit value if bit depth is 8 then the result is
3950 * 8-bit (as are the arguments.)
3951 */
3952png_uint_16 /* PRIVATE */
3953png_gamma_correct(png_structrp png_ptr, unsigned int value,
3954 png_fixed_point gamma_val)
3955{
3956 if (png_ptr->bit_depth == 8)
3957 return png_gamma_8bit_correct(value, gamma_val);
3958
3959#ifdef PNG_16BIT_SUPPORTED
3960 else
3961 return png_gamma_16bit_correct(value, gamma_val);
3962#else
3963 /* should not reach this */
3964 return 0;
3965#endif /* 16BIT */
3966}
3967
3968#ifdef PNG_16BIT_SUPPORTED
3969/* Internal function to build a single 16-bit table - the table consists of
3970 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3971 * to shift the input values right (or 16-number_of_signifiant_bits).
3972 *
3973 * The caller is responsible for ensuring that the table gets cleaned up on
3974 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3975 * should be somewhere that will be cleaned.
3976 */
3977static void
3978png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
3979 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
3980{
3981 /* Various values derived from 'shift': */
3982 PNG_CONST unsigned int num = 1U << (8U - shift);
3983#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3984 /* CSE the division and work round wacky GCC warnings (see the comments
3985 * in png_gamma_8bit_correct for where these come from.)
3986 */
3987 PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1);
3988#endif
3989 PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
3990 PNG_CONST unsigned int max_by_2 = 1U << (15U-shift);
3991 unsigned int i;
3992
3993 png_uint_16pp table = *ptable =
3994 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3995
3996 for (i = 0; i < num; i++)
3997 {
3998 png_uint_16p sub_table = table[i] =
3999 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
4000
4001 /* The 'threshold' test is repeated here because it can arise for one of
4002 * the 16-bit tables even if the others don't hit it.
4003 */
4004 if (png_gamma_significant(gamma_val) != 0)
4005 {
4006 /* The old code would overflow at the end and this would cause the
4007 * 'pow' function to return a result >1, resulting in an
4008 * arithmetic error. This code follows the spec exactly; ig is
4009 * the recovered input sample, it always has 8-16 bits.
4010 *
4011 * We want input * 65535/max, rounded, the arithmetic fits in 32
4012 * bits (unsigned) so long as max <= 32767.
4013 */
4014 unsigned int j;
4015 for (j = 0; j < 256; j++)
4016 {
4017 png_uint_32 ig = (j << (8-shift)) + i;
4018# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4019 /* Inline the 'max' scaling operation: */
4020 /* See png_gamma_8bit_correct for why the cast to (int) is
4021 * required here.
4022 */
4023 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
4024 sub_table[j] = (png_uint_16)d;
4025# else
4026 if (shift != 0)
4027 ig = (ig * 65535U + max_by_2)/max;
4028
4029 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
4030# endif
4031 }
4032 }
4033 else
4034 {
4035 /* We must still build a table, but do it the fast way. */
4036 unsigned int j;
4037
4038 for (j = 0; j < 256; j++)
4039 {
4040 png_uint_32 ig = (j << (8-shift)) + i;
4041
4042 if (shift != 0)
4043 ig = (ig * 65535U + max_by_2)/max;
4044
4045 sub_table[j] = (png_uint_16)ig;
4046 }
4047 }
4048 }
4049}
4050
4051/* NOTE: this function expects the *inverse* of the overall gamma transformation
4052 * required.
4053 */
4054static void
4055png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4056 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
4057{
4058 PNG_CONST unsigned int num = 1U << (8U - shift);
4059 PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
4060 unsigned int i;
4061 png_uint_32 last;
4062
4063 png_uint_16pp table = *ptable =
4064 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4065
4066 /* 'num' is the number of tables and also the number of low bits of low
4067 * bits of the input 16-bit value used to select a table. Each table is
4068 * itself indexed by the high 8 bits of the value.
4069 */
4070 for (i = 0; i < num; i++)
4071 table[i] = (png_uint_16p)png_malloc(png_ptr,
4072 256 * (sizeof (png_uint_16)));
4073
4074 /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4075 * pow(out,g) is an *input* value. 'last' is the last input value set.
4076 *
4077 * In the loop 'i' is used to find output values. Since the output is
4078 * 8-bit there are only 256 possible values. The tables are set up to
4079 * select the closest possible output value for each input by finding
4080 * the input value at the boundary between each pair of output values
4081 * and filling the table up to that boundary with the lower output
4082 * value.
4083 *
4084 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit
4085 * values the code below uses a 16-bit value in i; the values start at
4086 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4087 * entries are filled with 255). Start i at 128 and fill all 'last'
4088 * table entries <= 'max'
4089 */
4090 last = 0;
4091 for (i = 0; i < 255; ++i) /* 8-bit output value */
4092 {
4093 /* Find the corresponding maximum input value */
4094 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4095
4096 /* Find the boundary value in 16 bits: */
4097 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4098
4099 /* Adjust (round) to (16-shift) bits: */
4100 bound = (bound * max + 32768U)/65535U + 1U;
4101
4102 while (last < bound)
4103 {
4104 table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4105 last++;
4106 }
4107 }
4108
4109 /* And fill in the final entries. */
4110 while (last < (num << 8))
4111 {
4112 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4113 last++;
4114 }
4115}
4116#endif /* 16BIT */
4117
4118/* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4119 * typically much faster). Note that libpng currently does no sBIT processing
4120 * (apparently contrary to the spec) so a 256-entry table is always generated.
4121 */
4122static void
4123png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4124 PNG_CONST png_fixed_point gamma_val)
4125{
4126 unsigned int i;
4127 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4128
4129 if (png_gamma_significant(gamma_val) != 0)
4130 for (i=0; i<256; i++)
4131 table[i] = png_gamma_8bit_correct(i, gamma_val);
4132
4133 else
4134 for (i=0; i<256; ++i)
4135 table[i] = (png_byte)(i & 0xff);
4136}
4137
4138/* Used from png_read_destroy and below to release the memory used by the gamma
4139 * tables.
4140 */
4141void /* PRIVATE */
4142png_destroy_gamma_table(png_structrp png_ptr)
4143{
4144 png_free(png_ptr, png_ptr->gamma_table);
4145 png_ptr->gamma_table = NULL;
4146
4147#ifdef PNG_16BIT_SUPPORTED
4148 if (png_ptr->gamma_16_table != NULL)
4149 {
4150 int i;
4151 int istop = (1 << (8 - png_ptr->gamma_shift));
4152 for (i = 0; i < istop; i++)
4153 {
4154 png_free(png_ptr, png_ptr->gamma_16_table[i]);
4155 }
4156 png_free(png_ptr, png_ptr->gamma_16_table);
4157 png_ptr->gamma_16_table = NULL;
4158 }
4159#endif /* 16BIT */
4160
4161#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4162 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4163 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4164 png_free(png_ptr, png_ptr->gamma_from_1);
4165 png_ptr->gamma_from_1 = NULL;
4166 png_free(png_ptr, png_ptr->gamma_to_1);
4167 png_ptr->gamma_to_1 = NULL;
4168
4169#ifdef PNG_16BIT_SUPPORTED
4170 if (png_ptr->gamma_16_from_1 != NULL)
4171 {
4172 int i;
4173 int istop = (1 << (8 - png_ptr->gamma_shift));
4174 for (i = 0; i < istop; i++)
4175 {
4176 png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4177 }
4178 png_free(png_ptr, png_ptr->gamma_16_from_1);
4179 png_ptr->gamma_16_from_1 = NULL;
4180 }
4181 if (png_ptr->gamma_16_to_1 != NULL)
4182 {
4183 int i;
4184 int istop = (1 << (8 - png_ptr->gamma_shift));
4185 for (i = 0; i < istop; i++)
4186 {
4187 png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4188 }
4189 png_free(png_ptr, png_ptr->gamma_16_to_1);
4190 png_ptr->gamma_16_to_1 = NULL;
4191 }
4192#endif /* 16BIT */
4193#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4194}
4195
4196/* We build the 8- or 16-bit gamma tables here. Note that for 16-bit
4197 * tables, we don't make a full table if we are reducing to 8-bit in
4198 * the future. Note also how the gamma_16 tables are segmented so that
4199 * we don't need to allocate > 64K chunks for a full 16-bit table.
4200 */
4201void /* PRIVATE */
4202png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4203{
4204 png_debug(1, "in png_build_gamma_table");
4205
4206 /* Remove any existing table; this copes with multiple calls to
4207 * png_read_update_info. The warning is because building the gamma tables
4208 * multiple times is a performance hit - it's harmless but the ability to
4209 * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4210 * sensible to warn if the app introduces such a hit.
4211 */
4212 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4213 {
4214 png_warning(png_ptr, "gamma table being rebuilt");
4215 png_destroy_gamma_table(png_ptr);
4216 }
4217
4218 if (bit_depth <= 8)
4219 {
4220 png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4221 png_ptr->screen_gamma > 0 ?
4222 png_reciprocal2(png_ptr->colorspace.gamma,
4223 png_ptr->screen_gamma) : PNG_FP_1);
4224
4225#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4226 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4227 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4228 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4229 {
4230 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4231 png_reciprocal(png_ptr->colorspace.gamma));
4232
4233 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4234 png_ptr->screen_gamma > 0 ?
4235 png_reciprocal(png_ptr->screen_gamma) :
4236 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4237 }
4238#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4239 }
4240#ifdef PNG_16BIT_SUPPORTED
4241 else
4242 {
4243 png_byte shift, sig_bit;
4244
4245 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4246 {
4247 sig_bit = png_ptr->sig_bit.red;
4248
4249 if (png_ptr->sig_bit.green > sig_bit)
4250 sig_bit = png_ptr->sig_bit.green;
4251
4252 if (png_ptr->sig_bit.blue > sig_bit)
4253 sig_bit = png_ptr->sig_bit.blue;
4254 }
4255 else
4256 sig_bit = png_ptr->sig_bit.gray;
4257
4258 /* 16-bit gamma code uses this equation:
4259 *
4260 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4261 *
4262 * Where 'iv' is the input color value and 'ov' is the output value -
4263 * pow(iv, gamma).
4264 *
4265 * Thus the gamma table consists of up to 256 256-entry tables. The table
4266 * is selected by the (8-gamma_shift) most significant of the low 8 bits
4267 * of the color value then indexed by the upper 8 bits:
4268 *
4269 * table[low bits][high 8 bits]
4270 *
4271 * So the table 'n' corresponds to all those 'iv' of:
4272 *
4273 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4274 *
4275 */
4276 if (sig_bit > 0 && sig_bit < 16U)
4277 /* shift == insignificant bits */
4278 shift = (png_byte)((16U - sig_bit) & 0xff);
4279
4280 else
4281 shift = 0; /* keep all 16 bits */
4282
4283 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4284 {
4285 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4286 * the significant bits in the *input* when the output will
4287 * eventually be 8 bits. By default it is 11.
4288 */
4289 if (shift < (16U - PNG_MAX_GAMMA_8))
4290 shift = (16U - PNG_MAX_GAMMA_8);
4291 }
4292
4293 if (shift > 8U)
4294 shift = 8U; /* Guarantees at least one table! */
4295
4296 png_ptr->gamma_shift = shift;
4297
4298 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4299 * PNG_COMPOSE). This effectively smashed the background calculation for
4300 * 16-bit output because the 8-bit table assumes the result will be
4301 * reduced to 8 bits.
4302 */
4303 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4304 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4305 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4306 png_ptr->screen_gamma) : PNG_FP_1);
4307
4308 else
4309 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4310 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4311 png_ptr->screen_gamma) : PNG_FP_1);
4312
4313#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4314 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4315 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4316 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4317 {
4318 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4319 png_reciprocal(png_ptr->colorspace.gamma));
4320
4321 /* Notice that the '16 from 1' table should be full precision, however
4322 * the lookup on this table still uses gamma_shift, so it can't be.
4323 * TODO: fix this.
4324 */
4325 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4326 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4327 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4328 }
4329#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4330 }
4331#endif /* 16BIT */
4332}
4333#endif /* READ_GAMMA */
4334
4335/* HARDWARE OR SOFTWARE OPTION SUPPORT */
4336#ifdef PNG_SET_OPTION_SUPPORTED
4337int PNGAPI
4338png_set_option(png_structrp png_ptr, int option, int onoff)
4339{
4340 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4341 (option & 1) == 0)
4342 {
4343 png_uint_32 mask = 3U << option;
4344 png_uint_32 setting = (2U + (onoff != 0)) << option;
4345 png_uint_32 current = png_ptr->options;
4346
4347 png_ptr->options = (png_uint_32)(((current & ~mask) | setting) & 0xff);
4348
4349 return (int)(current & mask) >> option;
4350 }
4351
4352 return PNG_OPTION_INVALID;
4353}
4354#endif
4355
4356/* sRGB support */
4357#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4358 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4359/* sRGB conversion tables; these are machine generated with the code in
4360 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
4361 * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4362 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4363 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4364 * The inverse (linear to sRGB) table has accuracies as follows:
4365 *
4366 * For all possible (255*65535+1) input values:
4367 *
4368 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4369 *
4370 * For the input values corresponding to the 65536 16-bit values:
4371 *
4372 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4373 *
4374 * In all cases the inexact readings are only off by one.
4375 */
4376
4377#ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4378/* The convert-to-sRGB table is only currently required for read. */
4379const png_uint_16 png_sRGB_table[256] =
4380{
4381 0,20,40,60,80,99,119,139,
4382 159,179,199,219,241,264,288,313,
4383 340,367,396,427,458,491,526,562,
4384 599,637,677,718,761,805,851,898,
4385 947,997,1048,1101,1156,1212,1270,1330,
4386 1391,1453,1517,1583,1651,1720,1790,1863,
4387 1937,2013,2090,2170,2250,2333,2418,2504,
4388 2592,2681,2773,2866,2961,3058,3157,3258,
4389 3360,3464,3570,3678,3788,3900,4014,4129,
4390 4247,4366,4488,4611,4736,4864,4993,5124,
4391 5257,5392,5530,5669,5810,5953,6099,6246,
4392 6395,6547,6700,6856,7014,7174,7335,7500,
4393 7666,7834,8004,8177,8352,8528,8708,8889,
4394 9072,9258,9445,9635,9828,10022,10219,10417,
4395 10619,10822,11028,11235,11446,11658,11873,12090,
4396 12309,12530,12754,12980,13209,13440,13673,13909,
4397 14146,14387,14629,14874,15122,15371,15623,15878,
4398 16135,16394,16656,16920,17187,17456,17727,18001,
4399 18277,18556,18837,19121,19407,19696,19987,20281,
4400 20577,20876,21177,21481,21787,22096,22407,22721,
4401 23038,23357,23678,24002,24329,24658,24990,25325,
4402 25662,26001,26344,26688,27036,27386,27739,28094,
4403 28452,28813,29176,29542,29911,30282,30656,31033,
4404 31412,31794,32179,32567,32957,33350,33745,34143,
4405 34544,34948,35355,35764,36176,36591,37008,37429,
4406 37852,38278,38706,39138,39572,40009,40449,40891,
4407 41337,41785,42236,42690,43147,43606,44069,44534,
4408 45002,45473,45947,46423,46903,47385,47871,48359,
4409 48850,49344,49841,50341,50844,51349,51858,52369,
4410 52884,53401,53921,54445,54971,55500,56032,56567,
4411 57105,57646,58190,58737,59287,59840,60396,60955,
4412 61517,62082,62650,63221,63795,64372,64952,65535
4413};
4414#endif /* SIMPLIFIED_READ */
4415
4416/* The base/delta tables are required for both read and write (but currently
4417 * only the simplified versions.)
4418 */
4419const png_uint_16 png_sRGB_base[512] =
4420{
4421 128,1782,3383,4644,5675,6564,7357,8074,
4422 8732,9346,9921,10463,10977,11466,11935,12384,
4423 12816,13233,13634,14024,14402,14769,15125,15473,
4424 15812,16142,16466,16781,17090,17393,17690,17981,
4425 18266,18546,18822,19093,19359,19621,19879,20133,
4426 20383,20630,20873,21113,21349,21583,21813,22041,
4427 22265,22487,22707,22923,23138,23350,23559,23767,
4428 23972,24175,24376,24575,24772,24967,25160,25352,
4429 25542,25730,25916,26101,26284,26465,26645,26823,
4430 27000,27176,27350,27523,27695,27865,28034,28201,
4431 28368,28533,28697,28860,29021,29182,29341,29500,
4432 29657,29813,29969,30123,30276,30429,30580,30730,
4433 30880,31028,31176,31323,31469,31614,31758,31902,
4434 32045,32186,32327,32468,32607,32746,32884,33021,
4435 33158,33294,33429,33564,33697,33831,33963,34095,
4436 34226,34357,34486,34616,34744,34873,35000,35127,
4437 35253,35379,35504,35629,35753,35876,35999,36122,
4438 36244,36365,36486,36606,36726,36845,36964,37083,
4439 37201,37318,37435,37551,37668,37783,37898,38013,
4440 38127,38241,38354,38467,38580,38692,38803,38915,
4441 39026,39136,39246,39356,39465,39574,39682,39790,
4442 39898,40005,40112,40219,40325,40431,40537,40642,
4443 40747,40851,40955,41059,41163,41266,41369,41471,
4444 41573,41675,41777,41878,41979,42079,42179,42279,
4445 42379,42478,42577,42676,42775,42873,42971,43068,
4446 43165,43262,43359,43456,43552,43648,43743,43839,
4447 43934,44028,44123,44217,44311,44405,44499,44592,
4448 44685,44778,44870,44962,45054,45146,45238,45329,
4449 45420,45511,45601,45692,45782,45872,45961,46051,
4450 46140,46229,46318,46406,46494,46583,46670,46758,
4451 46846,46933,47020,47107,47193,47280,47366,47452,
4452 47538,47623,47709,47794,47879,47964,48048,48133,
4453 48217,48301,48385,48468,48552,48635,48718,48801,
4454 48884,48966,49048,49131,49213,49294,49376,49458,
4455 49539,49620,49701,49782,49862,49943,50023,50103,
4456 50183,50263,50342,50422,50501,50580,50659,50738,
4457 50816,50895,50973,51051,51129,51207,51285,51362,
4458 51439,51517,51594,51671,51747,51824,51900,51977,
4459 52053,52129,52205,52280,52356,52432,52507,52582,
4460 52657,52732,52807,52881,52956,53030,53104,53178,
4461 53252,53326,53400,53473,53546,53620,53693,53766,
4462 53839,53911,53984,54056,54129,54201,54273,54345,
4463 54417,54489,54560,54632,54703,54774,54845,54916,
4464 54987,55058,55129,55199,55269,55340,55410,55480,
4465 55550,55620,55689,55759,55828,55898,55967,56036,
4466 56105,56174,56243,56311,56380,56448,56517,56585,
4467 56653,56721,56789,56857,56924,56992,57059,57127,
4468 57194,57261,57328,57395,57462,57529,57595,57662,
4469 57728,57795,57861,57927,57993,58059,58125,58191,
4470 58256,58322,58387,58453,58518,58583,58648,58713,
4471 58778,58843,58908,58972,59037,59101,59165,59230,
4472 59294,59358,59422,59486,59549,59613,59677,59740,
4473 59804,59867,59930,59993,60056,60119,60182,60245,
4474 60308,60370,60433,60495,60558,60620,60682,60744,
4475 60806,60868,60930,60992,61054,61115,61177,61238,
4476 61300,61361,61422,61483,61544,61605,61666,61727,
4477 61788,61848,61909,61969,62030,62090,62150,62211,
4478 62271,62331,62391,62450,62510,62570,62630,62689,
4479 62749,62808,62867,62927,62986,63045,63104,63163,
4480 63222,63281,63340,63398,63457,63515,63574,63632,
4481 63691,63749,63807,63865,63923,63981,64039,64097,
4482 64155,64212,64270,64328,64385,64443,64500,64557,
4483 64614,64672,64729,64786,64843,64900,64956,65013,
4484 65070,65126,65183,65239,65296,65352,65409,65465
4485};
4486
4487const png_byte png_sRGB_delta[512] =
4488{
4489 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4490 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4491 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4492 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4493 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4494 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4495 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4496 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4497 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4498 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4499 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4500 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4501 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4502 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4503 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4504 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4505 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4506 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4507 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4508 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4509 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4510 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4511 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4512 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4513 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4514 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4515 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4516 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4517 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4518 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4519 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4520 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4521};
4522#endif /* SIMPLIFIED READ/WRITE sRGB support */
4523
4524/* SIMPLIFIED READ/WRITE SUPPORT */
4525#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4526 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4527static int
4528png_image_free_function(png_voidp argument)
4529{
4530 png_imagep image = png_voidcast(png_imagep, argument);
4531 png_controlp cp = image->opaque;
4532 png_control c;
4533
4534 /* Double check that we have a png_ptr - it should be impossible to get here
4535 * without one.
4536 */
4537 if (cp->png_ptr == NULL)
4538 return 0;
4539
4540 /* First free any data held in the control structure. */
4541# ifdef PNG_STDIO_SUPPORTED
4542 if (cp->owned_file != 0)
4543 {
4544 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4545 cp->owned_file = 0;
4546
4547 /* Ignore errors here. */
4548 if (fp != NULL)
4549 {
4550 cp->png_ptr->io_ptr = NULL;
4551 (void)fclose(fp);
4552 }
4553 }
4554# endif
4555
4556 /* Copy the control structure so that the original, allocated, version can be
4557 * safely freed. Notice that a png_error here stops the remainder of the
4558 * cleanup, but this is probably fine because that would indicate bad memory
4559 * problems anyway.
4560 */
4561 c = *cp;
4562 image->opaque = &c;
4563 png_free(c.png_ptr, cp);
4564
4565 /* Then the structures, calling the correct API. */
4566 if (c.for_write != 0)
4567 {
4568# ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4569 png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4570# else
4571 png_error(c.png_ptr, "simplified write not supported");
4572# endif
4573 }
4574 else
4575 {
4576# ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4577 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4578# else
4579 png_error(c.png_ptr, "simplified read not supported");
4580# endif
4581 }
4582
4583 /* Success. */
4584 return 1;
4585}
4586
4587void PNGAPI
4588png_image_free(png_imagep image)
4589{
4590 /* Safely call the real function, but only if doing so is safe at this point
4591 * (if not inside an error handling context). Otherwise assume
4592 * png_safe_execute will call this API after the return.
4593 */
4594 if (image != NULL && image->opaque != NULL &&
4595 image->opaque->error_buf == NULL)
4596 {
4597 /* Ignore errors here: */
4598 (void)png_safe_execute(image, png_image_free_function, image);
4599 image->opaque = NULL;
4600 }
4601}
4602
4603int /* PRIVATE */
4604png_image_error(png_imagep image, png_const_charp error_message)
4605{
4606 /* Utility to log an error. */
4607 png_safecat(image->message, (sizeof image->message), 0, error_message);
4608 image->warning_or_error |= PNG_IMAGE_ERROR;
4609 png_image_free(image);
4610 return 0;
4611}
4612
4613#endif /* SIMPLIFIED READ/WRITE */
4614#endif /* READ || WRITE */